Hello, I have previously posted this question in a different forum, but I was advised to redirect my query here. please see the link below to see the existing thread. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/a3570cf3-9a5b-4e3e-ba0e-57c512d863f8 I will shortly be posting a video of my setup so people can see where i am going wrong. thank you for your help

On Fri, 4 Feb 2011 13:25:47 +0000, Steve Mills wrote: I have previously posted this question in a different forum, but I was advised to redirect my query here. please see the link below to see the existing thread. The first problem you've got is that you've configured one end of your solution to use shared secrets and the other end to use certificates. The two are mutually exclusive. The second problem you've got is that you're dealing with SBS. I know you're not going to like this, but your best bet is to post this question in an SBS specific forum. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca If a train station is where the train stops, what is a work station?

right, the shared secrets bit that's news to me.... so... i have to chose either shared secrets or certificates thats how i understand what your saying right?? if thats the case then... why does my router allow shared secrets when the manufacturer has told me that it only supports EAP-TLS (i was under the impression that EAP-TLS was certifcates based. i had no idea that a shared secret had nothing to do with this, i thought shared secret was a way of authorising the router to talk to the RADIUS). secondly, how on earth are you supposed to configure it without using shared secrets, i thought if that was missed out it just wouldnt work at all. also, i dont get why some are saying to post in SBS, dont forget that sbs is windows 2008 standard, there is nothing really that unusual about this. as far as im aware this is not an SBS problem its a networking and certificate problem with windows standard and enterprise. id bet if i setup windows 2008 standard like this id get exactly the same problem, i might just do that to prove a point. thanks

I will post this question on the SBS forum, but if you are able to assist me after watching my videos please do leave more information here. you can find the video at http://cid-3cc1980caf326264.office.live.com/browse.aspx/RADIUS%20Setup two different codecs, same video chose whichever suits. thank you

Hi Steve I think your post is right where is needs to be hehe :) dont keep moving it :) okay lets try to see what we can do here.. i read your post in the link you initially provided and i am going to try and keep this as simple as possible.. :) i havent seen the video.. problems with my acocunt (but thats another story) Anyway.. 1 qsn.. do your switches support rfc 3580?? Its some 802.1x thing you can read on it here http://www.rfc-editor.org/rfc/rfc3580.txt if your AP doesnt support this then your setup wont work. Try updating the routers firmware and asking your manufacturer if the router supports this. If your configs on the NPS and on the AP are correct as they seem to be then thats the only problem left. Dont worry about the client side yet :) WAP2 with AES is correct as it is for your current set up so the problem is on the AP, though you might have to change the authentication model to use EAS-TLS for the clients. The shared secret if its the same on both side then thats cool dont worry bout EAP-TLS OR PEAP for the shared secret, i am sure there isnt an option for choosing the encryption for the shared secret anyway!! :) IT IS ALL IRRELEVANT FOR THE SHARED SECRET!!!!! :) so check to see the support for EAP types on your AP with the manufacturer and work from there :) look at it like this.. you are a middle man but your customer requests white diamonds and you only know of certain diamonds but not white diamonds, the seller sells all types of diamonds including white diamonds.. you go to him and say "AY i need some type of diamonds" the seller will say "An Access-Request message was received from RADIUS client with a message authenticator attribute that is not valid." :) hope this helps or points you in the right dirrection O._.Otech-nique

Hi, thanks for your response. physically this is my setup starting from the internet connection: 1. router is connected to the internet, the router also functions as a WAP and only supports EAP-TLS when used in RADIUS mode. 2. the router is internally connected to a switch via network cable (which i dont think supports 802.1x but if im configuring wireless does the wired switch have to support this too????) 3. the switch is then connected to my server via a network cable i guess the biggest question now is - even if i cam configuring wireless 802.1x does that mean that my wired switch also has to support this because its between the server and the WAP??? thanks

Hi, I dont think the switch has to support 802.1x for this setup.. your router is the AP and you have configure it in your network as a radius client which is pointing to the radius server NPS/IAS whichever you have.. you are configurin 802.1x with peap mschap v2. if you AP the router doesnt support certain EAP methods it wont be able to authenticate users let alone go past the connection request policy phase... most manufacturers will say compliance with RFC 3580 s ask your manufcturer of find out if the router/AP supports this. Dont worry about the switches if they are not radius clients worry about the AP which is a radius client the settings and the support for EAP methods.tech-nique