No announcement yet.

WLAN with Radius authentication

  • Filter
  • Time
  • Show
Clear All
new posts

  • WLAN with Radius authentication

    Hi guys

    I've never set up WLAN with radius authentication & am finding it a real battle. Has anyone got a procedure for setting it up using either XP or W7 as the wireless device, Linksys as the radius client & IAS 2003 or NPS 2008 as the radius server?

    I've ran through about 5 procedures now off the net but they are all incomplete.

    I'm not sure how to troubleshoot it so I can only go by the procedures I've found on the net.

    I'd prefer not to use any certificates if I have to. I just want wirless clients to be prompted for their domain credentials.

    Ive got 2 laptops I am testing with : 1 x XP & 1 X W7
    I have 2 WAPs I'm testing with : 1 x Cisco WAP4410N & 1 X Linksys WRT54G
    I have 2 IAS/NPS I can test with : 1 x 2003 IAS & 1 X 2008 NPS

    Cisco WAP4410N =
    Linksys WRT54G =

    The settings for both as far as I know are supposed to be WPA2 enterprise with AES?
    The WAP points to the ip address of the radius server & has ashared secret which is entered on the IAS/NPS also

    XP & W7 client setting I am not 100% sure on.

    I have tried about 5 different IAS/NPS setups now. All contradict each other.

    Any advice?

  • #2
    Re: WLAN with Radius authentication

    It's ok, I have worked it all out.


    • #3
      Re: WLAN with Radius authentication

      Perhaps you may want to share your solution with other people who may struggle as you did.
      If you do so, can you try to be a bit specific about what exactly was the issue and how did you manage resolve it.

      Caesar's cipher - 3




      • #4
        Re: WLAN with Radius authentication

        Sure. I had never set up wireless authentication using radius before , but knew it was available. Most of our clients are fine with just WPA2, as the computers are all owned by the company & stay on premises or are returned to premises.

        But a sales client we had has sales people that come & go frequently & they bring their own laptops & ipads. We cant use WPA2 on it's own in that scenario, as when a sales person leaves, they take their laptop with them. This leaves a security black hole because the agent that has left can potentially park their car outside the office & still be connected to our internet. Changing the WPA key or Mac filtering is just too much administrative overhead. We needed radius, so that when someone left, we disabled their AD account & that was the end of the story. No more wireless connection for them.

        It took me a couple of days on & off but the hardest part is actually getting the client settings right. If your laptops are already members of the domain then you will have few problems. If they are not, you will need to manually change the clients advanced settings.

        Items needed for it to work.

        1) 1X IAS/NPS
        2) 1 X Certificate authority. I used self signed certificates instead of a purchased one.
        3) 1 X WAP. For the purpose of my test I used a Cisco WAP4410N & a Linksys WRTG54G
        4) 1x Client. For the purpose of the test I used an XP pro laptop, a Windows 7 laptop, an Ipad , an iphone , Nokia E72 & HTC touch.

        I can't post my procedure I used created in one note for my staff to replicate, but I will post all the links that solved it for me.

        First create the self signed certs.

        W2K3 :

        W2K8 :

        Next set up IAS/NPS.


        This one also helped.


        Set up the WAP (Radius clients):

        I set the Linksys up pretty much like this:

        But used WPA2 Enterprise mixed.

        I set the cisco up pretty much the same , except in connection control I set it to disabled. Its on pg 45 of this document.

        The client side configuration was the trickiest thing to get right.

        Make sure you get the cert onto your windows devices. I just used a usb thumb drive.

        I configured the clients ( not to be confused with the radius clients) pretty much like this:

        Except instead of finding the SSID , I clicked add & entered it all in manually. Also, very very important for my particular non domain devices. I unticked the radio button in the very last screen shot as logs showed it tried to logon with the computer name. I also used single "sign logon.perform immediately after user logon"

        I tried to post some screen shots but it kept crashing.

        Note: check your event logs if you don't get a connection. It will tell you why.

        Anyone has anything to add or advise me how I could have done it differently, let me know & i will update my own procedures.

        With the iphone & ipads you just need to tell them to accept the cert when it gives you a prompt.

        Hope that helps someone. I've rolled it out on a few sites now & it's made life easier.