It's a single domain model with 4 DC's load balanced, (the radius server (NPS) is on the 4th DC btw), and I don't think there are replication issues or they would show up intermittently everywhere, authentication works fine 100% of the time in the building the DC's are located in.
I said before that I thought it was policy, but when I try to reason it out I keep going back & forth between policy & some sort of strange network issue. On Mon, Feb 1, 2010 at 9:27 AM, Butturini, Russell < [email protected]> wrote: > That sounds like you could some some underlying AD issues causing the > problem. Have you verified replication is working correctly? > > ________________________________ > > From: [email protected] on behalf of Robert Portvliet > Sent: Mon 2/1/2010 8:02 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Configuring WPA2 & RADIUS > > > I was incorrect, each building is it's own site in AD & it's own subnet, > which is a /16 on a private class A. > > > > On Sun, Jan 31, 2010 at 8:43 PM, Robert Portvliet < > [email protected]> wrote: > > > That was going to be my next move, mirror the switchport the AP is > plugged into & take a capture of the auth attempt. (I'll do that tomorrow > morning) > > Like I said I'm coming into this a bit after the fact & didn't do > the initial setup, but yes the cert is self signed & generated using > Microsoft CA (I'll look into the settings further though), the clients are > all Vista btw. > > As far as the network, it's flat with layer 3 routing only in the > core switch, each building is on it's own vlan, but the wireless vlan is the > same no matter what building you are in, as far as AD goes there's only one > site, each building is an OU under that. > > I'm more of a Linux\Unix guy so I'm a bit light in the AD end of > things, I think it might be something to do with policy, but according to > the systems engineer you should be getting the same policy no matter where > you go. > > Thanks much for the help! > > > > > On Sat, Jan 30, 2010 at 8:55 PM, Tim Mugherini <[email protected]> > wrote: > > > Robert, > > First I would not trust the Radius server logs, grab a > packet dump to > verify they are not trying to auth as the computer acct (I > have seen > MS IAS not log attempts so even though I have no experience > with 2k8 > NPS I would not trust the logs) > > Also you mentioned diff buildings, diff subnets? AD sites? > > Lastly you mentioned certifcates are you using a self signed > on the > Radius server, MS CA? If MS CA what are your GO settings for > the > Radius and Certs (have seen issues with MS CA and > "verification" on XP > so just a hunch on my part. > > Tim > > > On Sat, Jan 30, 2010 at 10:26 AM, Robert Portvliet > <[email protected]> wrote: > > > > I'm attempting to troubleshoot an issue with an > implementation of WPA2 & > > RADIUS with certificates (for wireless authentication), it > is a somewhat > > perplexing issue which I am hoping someone on the list may > be able to > > provide some guidance on. > > > > In the building local to the Radius server, the machine > will authenticate > > to the Radius server using the machine name without issue, > however in the > > other buildings the same machine (even using the same > access point) will > > never try to pass the machine name to authenticate.. it > passes the user > > name, which works if we allow that method of > authentication, but it's not > > what we're after obviously. > > > > The strange thing is I see no trace in the Radius server > log of it even > > trying the machine name and the policy the machine > receives should be the > > same in each building. > > > > For the Radius server I am using NPS on win2k8. the > client machines are > > Vista (latest patch level), AP's are HP ProCurve, physical > media is single > > mode fiber between the buildings. > > > > I came into this a little late in the game, from what I > can tell > > everything seems to be configured correctly, but I'm > getting the feeling I'm > > missing something stupid, lol > > > > > > Thanks in advance! > > > > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com < > http://pauldotcom.com/> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com < > http://pauldotcom.com/> > > > > > > > ****************************************************************************** > This email contains confidential and proprietary information and is not to > be used or disclosed to anyone other than the named recipient of this email, > and is to be used only for the intended purpose of this communication. > > ****************************************************************************** > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
