That sounds like you could some some underlying AD issues causing the problem. Have you verified replication is working correctly?
________________________________ From: [email protected] on behalf of Robert Portvliet Sent: Mon 2/1/2010 8:02 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Configuring WPA2 & RADIUS I was incorrect, each building is it's own site in AD & it's own subnet, which is a /16 on a private class A. On Sun, Jan 31, 2010 at 8:43 PM, Robert Portvliet <[email protected]> wrote: That was going to be my next move, mirror the switchport the AP is plugged into & take a capture of the auth attempt. (I'll do that tomorrow morning) Like I said I'm coming into this a bit after the fact & didn't do the initial setup, but yes the cert is self signed & generated using Microsoft CA (I'll look into the settings further though), the clients are all Vista btw. As far as the network, it's flat with layer 3 routing only in the core switch, each building is on it's own vlan, but the wireless vlan is the same no matter what building you are in, as far as AD goes there's only one site, each building is an OU under that. I'm more of a Linux\Unix guy so I'm a bit light in the AD end of things, I think it might be something to do with policy, but according to the systems engineer you should be getting the same policy no matter where you go. Thanks much for the help! On Sat, Jan 30, 2010 at 8:55 PM, Tim Mugherini <[email protected]> wrote: Robert, First I would not trust the Radius server logs, grab a packet dump to verify they are not trying to auth as the computer acct (I have seen MS IAS not log attempts so even though I have no experience with 2k8 NPS I would not trust the logs) Also you mentioned diff buildings, diff subnets? AD sites? Lastly you mentioned certifcates are you using a self signed on the Radius server, MS CA? If MS CA what are your GO settings for the Radius and Certs (have seen issues with MS CA and "verification" on XP so just a hunch on my part. Tim On Sat, Jan 30, 2010 at 10:26 AM, Robert Portvliet <[email protected]> wrote: > > I'm attempting to troubleshoot an issue with an implementation of WPA2 & > RADIUS with certificates (for wireless authentication), it is a somewhat > perplexing issue which I am hoping someone on the list may be able to > provide some guidance on. > > In the building local to the Radius server, the machine will authenticate > to the Radius server using the machine name without issue, however in the > other buildings the same machine (even using the same access point) will > never try to pass the machine name to authenticate.. it passes the user > name, which works if we allow that method of authentication, but it's not > what we're after obviously. > > The strange thing is I see no trace in the Radius server log of it even > trying the machine name and the policy the machine receives should be the > same in each building. > > For the Radius server I am using NPS on win2k8. the client machines are > Vista (latest patch level), AP's are HP ProCurve, physical media is single > mode fiber between the buildings. > > I came into this a little late in the game, from what I can tell > everything seems to be configured correctly, but I'm getting the feeling I'm > missing something stupid, lol > > > Thanks in advance! > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com <http://pauldotcom.com/> > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com <http://pauldotcom.com/> ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ******************************************************************************
<<winmail.dat>>
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
