M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

Set up HP MSM710 Mobility Controller (or related) to a Windows IAS Radius Server?

 
Highlighted
ninjaburn81
Occasional Contributor

Set up HP MSM710 Mobility Controller (or related) to a Windows IAS Radius Server?

At this point I am at a complete loss. I have attached a slighly sanitized version (replaced username and domain name) of the unfiltered system logs with the RADIUS debug from my Controller and I am hopefully someone can walk me through what I am missing. Everything I have done I've detailed above so if I am missing a step, should check something, whatever, please tell me!

We have purchased an HP MSM710 Mobility Controller and a number of MSM310 access points. Set up of the controller itself is relatively straightforward, however I am having a large amount of difficulty with the Authentication side of things. 

So we don't have to worry about using a preshared key, I would like to set up my IAS RADIUS server to handle 802.1x authentication requests and to feed the Dynamic key back to the connecting client. Unfortunately I think I am missing something in my set up, so I'm trying from scratch and starting again. 

Some more details:
I have already set up the Controller to handle WPA (and latter tested WPA2) encryption with TKIP and a pre-shared key. This works fine. However I now wish to enable 802.1x authentication using a Windows 2003 IAS (RADIUS) server to handle the key dynamically. However I cannot seem to allow the client to authenticate properly,and I am not sure where the problem lies. I have poured through the MSMxxx Manage/Config guide and not helpful here...

On the IAS side, I have set up a client profie for the MSM710, using RADIUS Standard, and have set up a simple shared key to eliminate testing issues there. I have logging open for everything. For simplicity I also set up a Remote Access Policy for Wifi that would just allow for all Domain Users. I then attempted setting up a self-signed cert for the RADIUS server using the method outlined here: http://www.techrepublic.com/article/ultimate-wireless-security-guide-self-signed-certificates-for-your-radius-server/6148560

The cert was created fine and I manually added it to the test laptop (Win XP SP3) and then I set up the WZC for the SSID, set it for PEAP, WPA/TKIP, and set it to use the self-signed cert. 

Finally on the MSM710 controller, I set it the VSC (there is only one at the moment, again for testing) to use WPA/TKIP encryption with a Dynamic key source, set 802.1x authentication to Remote, and RADIUS to the 'Default RADIUS Profile Name' (only one.) Opened up the RADIUS profile, set the server address (IP) and shared secret. Settings are all defaulted, including the MSCHAPv2 authentication method. Also, the global 802.1x settings are the defaults. 

Finally, I attempt to connect; on the laptop side, it just stops at 'Validating Identity' and there is basically nothing in the Event Logs of the laptop. Oddly, there is no logs in the RADIUS server as well. (FYI, the RADIUS server is also validating VPN requests, and those ARE working and being logged properly.) So I go to the Controller system logs, and it appears it is continually attempting to access the RADIUS server, but cannot. 

I should note at this point that everything in testing is on the same subnet. No VLANS are being used for testing either. The controller can ping the RADIUS server, and vice versa. 

 

At this point I am at a complete loss. I have attached a slighly sanitized version (replaced username and domain name) of the unfiltered system logs with the RADIUS debug from my Controller and I am hopefully someone can walk me through what I am missing. Everything I have done I've detailed above so if I am missing a step, should check something, whatever, please tell me!

5 REPLIES 5
Highlighted
Fredrik Lönnman
Honored Contributor

Re: Set up HP MSM710 Mobility Controller (or related) to a Windows IAS Radius Server?

You dont see anything at all regarding IAS in the Event Viewer logs? It should be under Security or System.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

Highlighted
ninjaburn81
Occasional Contributor

Re: Set up HP MSM710 Mobility Controller (or related) to a Windows IAS Radius Server?

Nothing...and I was refering to the IAS log file that is created separately from the Event logs, but those are empty too in regards to this. I'm starting to think its something on the controller's side, where it is not communicating with the RADIUS server properly. Is my methodology correct for the set up? Did I miss something with the certificate? 

Highlighted
Fredrik Lönnman
Honored Contributor

Re: Set up HP MSM710 Mobility Controller (or related) to a Windows IAS Radius Server?

Really strange that you dont see anything in the IAS logs. In the controller log you attached it seems as if its receiving access requests from the RADIUS server:

 

Jul 13 10:34:35 debug    iprulesmgr   Received RADIUS Access Request (id='35') for user (calling-station-id='00-13-CE-38-CC-6C',virtual-ap-index='1') from IEEE802dot1x RADIUS Client (ip-address='169.254.0.4',port='32774',called-station-id='00-0F-61-89-99-E0').
Jul 13 10:34:36 debug    iprulesmgr   Sending RADIUS Packet (Length:'340',Code:'Access-Request',Id:'49') to RADIUS Server (Ip:'192.168.100.13',Port:'1812') for User (nas-port:'1924',username:'<domain\username>').
Jul 13 10:34:36 debug    iprulesmgr   Received RADIUS Access Request (id='49') for user (calling-station-id='00-13-CE-38-CC-6C',virtual-ap-index='1') from IEEE802dot1x RADIUS Client (ip-address='169.254.0.4',port='32774',called-station-id='00-0F-61-89-99-E0').

 

In the VSC settings, have you checked "Use controller for authentication"? Without that the APs will try to authenticate to the IAS by themselves.. but I'm not sure if you should have gotten that entrys in your log if that where the case.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

Highlighted
ninjaburn81
Occasional Contributor

Re: Set up HP MSM710 Mobility Controller (or related) to a Windows IAS Radius Server?

Nope, Use Controller for Authentication has always been checked. I just wish the documentation was better, b/c it doesn't give any 'if you don't do this, it won't work!' kinds of things.

 

I attached screen shots of all my VSC configs and radius configs (profile and settings). 

 

Like I said I have to wonder if its the self-signed cert I'm using but I would think I would be getting errors on the certs not working. What is really odd is I cannot even get the controller to authenticate with AD either! But I'd rather not muddy the waters at the moment...

Highlighted
Mark Wibaux
Trusted Contributor

Re: Set up HP MSM710 Mobility Controller (or related) to a Windows IAS Radius Server?

Better to create a Certificate Authority in your windows domain and get your workstations to get their own "computer" certificate?

Sounds like you created a self-signed cert for the RADIUS server then imported it to the laptop. This won't work as the laptop needs its own certificate to authenticate with not the RADIUS servers one.

 

Process I follow for 802.1x in a windows environment is.

Setup a Certificate Authority server.

Configure Group Policy to enable the Certificate auto-enrollment option for all workstations (though you could just restrict it to laptops that you want to have access to the wireless network) and at least the server running IAS (though normally I just let all servers request a certificate).

In most cases I want the laptop to access the wireless network irrelevant of who is logging in to it, so I setup a RADIUS policy that allows access based on the computer object being a member of a specific group.

Configure a GP that pushes out suitable Wireless settings making sure that the authentication is set to use "Computer" rather than "User". For testing you should be able to create a manual profile on the test machine that has all the settings, if you let windows auto-create the profile it might not configure it correctly for authentication.

 

Some of the group policy features won't be there if you use a 2003 server or XP machine to create the GP. If you use a 2008 or Vista/7 machine to create the GP then you will get many more options for your wireless settings in the GP.