Technology Tips and News
Hello,
I have previously posted this question in a different forum, but I was advised to redirect my query here. please see the link below to see the existing thread.
I will shortly be posting a video of my setup so people can see where i am going wrong.
thank you for your help
On Fri, 4 Feb 2011 13:25:47 +0000, Steve Mills wrote:
I have previously posted this question in a different forum, but I was advised to redirect my query here. please see the link below to see the existing thread.
The first problem you've got is that you've configured one end of your
solution to use shared secrets and the other end to use certificates. The
two are mutually exclusive.
The second problem you've got is that you're dealing with SBS. I know
you're not going to like this, but your best bet is to post this question
in an SBS specific
right, the shared secrets bit that's news to me.... so... i have to chose either shared secrets or certificates thats how i understand what your saying right??
if thats the case then...
why does my router allow shared secrets when the manufacturer has told me that it only supports EAP-TLS (i was under the impression that EAP-TLS was certifcates based. i had no idea that a shared secret had nothing to do with this, i thought shared secret was a way of authorising the router to talk to the RADIUS).
secondly, how on earth are you supposed to configure it without using shared secrets, i thought if that was missed out it just wouldnt work at all.
also, i dont get why some are saying to post in SBS, dont forget that sbs is windows 2008 standard, there is nothing really that unusual about this. as far as im aware this is not an SBS problem its a networking and certificate problem with windows standard and enterprise. id bet if i setup windows 2008 standard like this id get exactly the same problem, i might just do that to prove a point.
thanks
I will post this question on the SBS forum, but if you are able to assist me after watching my videos please do leave more information here. you can find the video at
http://cid-3cc1980caf326264.office.live.com/browse.aspx/RADIUS%20Setup
two different codecs, same video chose whichever suits.
thank you
Hi Steve
I think your post is right where is needs to be hehe :) dont keep moving it :) okay lets try to see what we can do here.. i read your post in the link you initially provided and i am going to try and keep this as simple as possible.. :) i havent seen the video.. problems with my acocunt (but thats another story)
Anyway.. 1 qsn.. do your switches support rfc 3580?? Its some 802.1x thing you can read on it here http://www.rfc-editor.org/rfc/rfc3580.txt if your AP doesnt support this then your setup wont work. Try updating the routers firmware and asking your manufacturer if the router supports this. If your configs on the NPS and on the AP are correct as they seem to be then thats the only problem left.
Dont worry about the client side yet :) WAP2 with AES is correct as it is for your current set up so the problem is on the AP, though you might have to change the authentication model to use EAS-TLS for the clients. The shared secret if its the same on both side then thats cool dont worry bout EAP-TLS OR PEAP for the shared secret, i am sure there isnt an option for choosing the encryption for the shared secret anyway!! :) IT IS ALL IRRELEVANT FOR THE SHARED SECRET!!!!! :)
so check to see the support for EAP types on your AP with the manufacturer and work from there :) look at it like this.. you are a middle man but your customer requests white diamonds and you only know of certain diamonds but not white diamonds, the seller sells all types of diamonds including white diamonds.. you go to him and say "AY i need some type of diamonds" the seller will say "An Access-Request message was received from RADIUS client with a message authenticator attribute that is not valid." :)
hope this helps or points you in the right dirrection O._.O
Hi,
thanks for your response.
physically this is my setup starting from the internet connection:
1. router is connected to the internet, the router also functions as a WAP and only supports EAP-TLS when used in RADIUS mode.
2. the router is internally connected to a switch via network cable (which i dont think supports 802.1x but if im configuring wireless does the wired switch have to support this too????)
3. the switch is then connected to my server via a network cable
i guess the biggest question now is - even if i cam configuring wireless 802.1x does that mean that my wired switch also has to support this because its between the server and the WAP???
thanks
Hi,
I dont think the switch has to support 802.1x for this setup.. your router is the AP and you have configure it in your network as a radius client which is pointing to the radius server NPS/IAS whichever you have.. you are configurin 802.1x with peap mschap v2. if you AP the router doesnt support certain EAP methods it wont be able to authenticate users let alone go past the connection request policy phase... most manufacturers will say compliance with RFC 3580 s ask your manufcturer of find out if the router/AP supports this. Dont worry about the switches if they are not radius clients worry about the AP which is a radius client the settings and the support for EAP methods.
I did yes, but it was quite a long time ago. I have since moved jobs and didn't keep my documentation. in my previous employer an outsourced provider came in and wrecked it all anyway. if I need to do this again I will just have to use more modern technology and methods. I think the issue was to do with Server 2008 and I had to use 2008 R2 for version 3 certificates if my memory serves me right. since we only had standard editions version 3 wasn't supported until we moved onto standard 2008 R2 - I'm pretty sure that's what it boiled down to, and you provided most of the help in my original post also, between the two of us we figured it out. I am sure it was that simple certificate thing that caused my problems.
thanks
Steve
Good to hear you got a new job. I'm sure it was probably the cert issue, if you had 2008 Std. Thanks for responding!
I hope things go well in your new position!
On Sat, 1 Mar 2014 17:24:31 +0000, Ace Fekay [MCT] [MVP] wrote:
Good to hear you got a new job. I'm sure it was probably the cert issue, if you had 2008 Std. Thanks for responding!
You two are confusing certificate templates with certificates. All
Microsoft CAs issue V3 certificates. It is the certificate templates that
are dependant on the OS ve
On Sat, 1 Mar 2014 17:24:31 +0000, Ace Fekay [MCT] [MVP] wrote:
Good to hear you got a new job. I'm sure it was probably the cert issue, if you had 2008 Std. Thanks for responding!
You two are confusing certificate templates with certificates. All
Microsoft CAs issue V3 certificates. It is the certificate templates that
are dependant on the OS ve
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier