No announcement yet.

ias and wifi problems and questions

  • Filter
  • Time
  • Show
Clear All
new posts

  • ias and wifi problems and questions

    good evening

    i am trying to get the wifi AP (edimax) to use my radius server for authentication.

    is it possible to use IAS without certificates? i mean that the client that connects to the WIFI will be authenticated with his current logon credentials...

    server 2003 r2 with sp2 (this is the main DC)

    what i have done:
    configured IAS on the DC like this:
    in the IAS --> Radius Clients added a new client with the wizard
    friendly name = wifi-test
    address =
    client-vendor = radius standard
    and here is also a check box that i DID NOT SELECT (don't know if needed)
    "request must contain the message authenticator attribute"

    and the shared secret = some password

    ok this is the radius client part.

    now i have configured the remote access policies:
    used the wizard
    policy conditions =
    nas-port-type matches wireless or other wireless IEEE 802.11 and wireless other

    and also
    windows group matches (i created a user goup called wifi-allow) domain-name\wifi-allow

    and selected the check box grant remote access.

    inside the edit profile settings:

    TAB called dial in constrains. = nothing selected. (default)

    TAB called IP. = check box selected "server settings determine address assignment. IP FILTERS are both empty. (default)

    TAB called Multilink = server settings determine multilink usage (default)

    TAB called Advanced = service type radius standard framed

    TAB called encryption = all selected (default)

    TAB called authentication = here i have tried combinations
    sometimes all selected sometimes only part of it.... (i am guessing here is maybe the problem )

    what should i select here?

    and also there is a EAP Methods button...

    i am trying to accomplish that logon credentials will be used against the radius to authenticate....

    i have also changed in the default domain policy "store passwords using reversible encryption" to enabled

    while trying to connect with my laptop
    i see in the event viewer also errors:

    Event Type:	Error
    Event Source:	IAS
    Event Category:	None
    Event ID:	3
    Date:		14/04/2008
    Time:		18:44:16
    User:		N/A
    Computer:	JUPITER
    Access request for user [email protected] was discarded.
     Fully-Qualified-User-Name = domain-name/domain/Users/Yaniv
     NAS-IP-Address =
     NAS-Identifier = Realtek Access Point. 8181
     Called-Station-Identifier = 000e2e7b6d64
     Calling-Station-Identifier = 001cbf689e71
     Client-Friendly-Name = wifi-test
     Client-IP-Address =
     NAS-Port-Type = Wireless - IEEE 802.11
     NAS-Port = 0
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows 
     Authentication-Server = <undetermined> 
     Reason-Code = 23
     Reason = Unexpected error. Possible error in server or client configuration. 
    For more information, see Help and Support Center at
    0000: 04 20 09 80               . .€

    what about this:
    Authentication-Server = <undetermined>

    thanks for any help
    Last edited by yaniv; 14th April 2008, 19:14.
    MCSE 2000 Done
    RHCE Done

  • #2
    Re: ias and wifi problems and questions


    i used certificates.

    i found the solution here

    here is how:

    i have installed the server 2003 resource kit (custom install) installed only the selfssl

    used this cmd to create my cert:

    go to thos path
    C:\Program Files\IIS Resources\SelfSSL
    You then type the following command.

    this will change your IIS cert settings... so if you have some special settings... only continue if you know what you are doing.

    selfssl / /K:1024 /V:1825 /S:1 /P:443
    /N:CN should be set to your ServerName and your fully qualified domain name.
    /K: typically set to 1024. 1024 is the number of bits allocated to the RSA key.
    /V: is the number of days before the certificate expires. 1825 days is 5 years.
    /S: is the site number in IIS.
    /P: is the TCP port number. 443 is the standard SSL port.

    for more information about this please visit the original website... you can find the link at the beginning of this post

    after that i have used the mmc snap in certificates to export my certificate...
    i am not sure if needed...

    than i reconfigured my ias --> remote access policies

    to use PEAP only at the authentication tab i have NOTHING selected... only the EAP options are configured...

    if someone needs help or has more questions feel free to ask.

    good luck

    Last edited by yaniv; 15th April 2008, 08:41. Reason: typos
    MCSE 2000 Done
    RHCE Done