11

Setting up 802.1X Setting up 802.1X networks by using networks by using

Internet Authentication Internet Authentication Service Service

22

ObjectiveObjective

Main objective is to educate network Main objective is to educate network enterprise administrators about how to set enterprise administrators about how to set up 802.1X secure networksup 802.1X secure networks

33

AgendaAgenda Server setupServer setup

Authentication methods and vulnerabilitiesAuthentication methods and vulnerabilities Best practices and recommendationsBest practices and recommendations

Certificate Authority (CA) setupCertificate Authority (CA) setup Best practices and recommendationsBest practices and recommendations

Active Directory® and client setupActive Directory® and client setup User and computer account setup and User and computer account setup and

managementmanagement Policy configuration in the domainPolicy configuration in the domain Best practices and recommendationsBest practices and recommendations

TroubleshootingTroubleshooting

44

AbstractAbstract

At the moment, setting up 802.1X is one of the At the moment, setting up 802.1X is one of the most challenging tasks that network and systems most challenging tasks that network and systems administrators faceadministrators face

This Support WebCast is targeted at network This Support WebCast is targeted at network professionals, such as administrators, who need professionals, such as administrators, who need to improve security and centralize wireless to improve security and centralize wireless access to their networksaccess to their networks

55

RecapRecap RADIUSRADIUS RADIUS is a standard for authentication, RADIUS is a standard for authentication,

authorization, and accounting (Microsoft authorization, and accounting (Microsoft implementation adds auditing); AAA or AAAA for implementation adds auditing); AAA or AAAA for short (triple A or quad A)short (triple A or quad A)

RADIUS is primarily used to manage network RADIUS is primarily used to manage network access through dial-in, wireless, and VPN network access through dial-in, wireless, and VPN network access servers.access servers.

The protocol was standardized in RFC 2058; the The protocol was standardized in RFC 2058; the current implementation is defined in RFCs 2138 current implementation is defined in RFCs 2138 and 2139. and 2139.

RADIUS uses User Datagram Protocol (UDP) RADIUS uses User Datagram Protocol (UDP) packets.packets.

Older servers used ports 1645 and 1646.Older servers used ports 1645 and 1646. Latest standards are ports 1812 for Latest standards are ports 1812 for

authentication and 1813 for accounting.authentication and 1813 for accounting. Internet Authentication Service (IAS) has the Internet Authentication Service (IAS) has the

ability to map any other unused port to do ability to map any other unused port to do RADIUS.RADIUS.

66

Recap Recap (2)(2) IEEE 802.1X IEEE 802.1X (8021X for short)(8021X for short)

A mechanism to provide authentication and key A mechanism to provide authentication and key managementmanagement

Dynamic key management = Different keys per Dynamic key management = Different keys per different clientdifferent client

More secure than WEP, and less susceptible to More secure than WEP, and less susceptible to WEP crack techniquesWEP crack techniques

Works with wired and wireless LANsWorks with wired and wireless LANs Supports multiple authentication methods, Supports multiple authentication methods,

token keys, passwords, certificates, one-time token keys, passwords, certificates, one-time passwords, and otherspasswords, and others

Many more great features such as central user Many more great features such as central user management and mutual authentication management and mutual authentication

77

Setting up Active DirectorySetting up Active Directory To set up Active Directory, run To set up Active Directory, run

Dcpromo.exe on your future Dcpromo.exe on your future domain controller.domain controller.

When the domain is up, you can When the domain is up, you can create user accounts and add create user accounts and add computer accounts to the Active computer accounts to the Active Directory.Directory.

In Windows 2000 mixed domains, In Windows 2000 mixed domains, the accounts must be set to the accounts must be set to Allow accessAllow access so that it can be so that it can be successfully authenticated. There successfully authenticated. There are mechanisms to override this are mechanisms to override this on the IAS server.on the IAS server.

In native domains in Windows In native domains in Windows 2000 (and later), the 2000 (and later), the Control Control access through Remote access through Remote Access PolicyAccess Policy option is available. option is available. This is the default (and the This is the default (and the recommended setup for all user recommended setup for all user and computer accounts), because and computer accounts), because this option allows the IAS server this option allows the IAS server to determine whether to let the to determine whether to let the user in or not.user in or not.

88

Certificate Authority (CA) Certificate Authority (CA) setupsetup

To set up the CA, perform the following steps To set up the CA, perform the following steps on your future CA server:on your future CA server:

1.1. Click Click StartStart, click , click Control PanelControl Panel, and then double-, and then double-click click Add or Remove ProgramsAdd or Remove Programs..

2.2. Click Click Add/Remove Windows ComponentsAdd/Remove Windows Components..

3.3. Click Click Certificate ServicesCertificate Services, and then click , and then click DetailsDetails. .

4.4. Make sure that Make sure that Certificate Services Web Certificate Services Web Enrollment SupportEnrollment Support is selected. (You must have is selected. (You must have IIS installed before you perform this step.)IIS installed before you perform this step.)

99

CA setup CA setup (2)(2)

RecommendationRecommendation Use Certificate Services on computers running Use Certificate Services on computers running

Microsoft® Windows Server™ 2003 Enterprise Microsoft® Windows Server™ 2003 Enterprise Edition. This allows the administrator to have Edition. This allows the administrator to have custom templates and it includes two custom templates and it includes two important certificate templates: important certificate templates:

RAS and IAS Server AuthenticationRAS and IAS Server Authentication Wireless AuthenticationWireless Authentication

These customized templates have the correctThese customized templates have the correctsettings for the IAS server and wireless clientssettings for the IAS server and wireless clients

1010

CA setup CA setup (3)(3)

When the CA is installed, you must When the CA is installed, you must publish the certificate templates:publish the certificate templates: RAS and IAS Server AuthenticationRAS and IAS Server Authentication Wireless AuthenticationWireless Authentication

1111

CA setup CA setup (4)(4) Follow these steps to add the templates:Follow these steps to add the templates:

1.1. Click Click StartStart, point to , point to ProgramsPrograms, point to , point to Administrative toolsAdministrative tools, and then click , and then click Certificate Certificate AuthorityAuthority..

2.2. Find the certificate templates.Find the certificate templates.

3.3. Right-click the certificate templates, and then click Right-click the certificate templates, and then click Certificate Template to issueCertificate Template to issue..

4.4. In the dialog box that appears, click In the dialog box that appears, click RAS and IAS RAS and IAS server authenticationserver authentication and and Wireless authenticationWireless authentication..

1212

Setting up Group PolicySetting up Group Policy

By default, wireless Group Policy settings are By default, wireless Group Policy settings are not set.not set.

An administrator might want to change the An administrator might want to change the default to make the process of getting wireless default to make the process of getting wireless clients on the network easier.clients on the network easier.

Group Policy must be downloaded to the client Group Policy must be downloaded to the client before it can take effect on the client before it can take effect on the client computers. This happens automatically when a computers. This happens automatically when a domain user logs on to the computer for the domain user logs on to the computer for the first time, or when a new computer joins the first time, or when a new computer joins the domain (after first boot). It also happens at domain (after first boot). It also happens at regular intervals.regular intervals.

1313

Setting up Group Policy Setting up Group Policy (2)(2) To force the Group Policy download on the To force the Group Policy download on the

client computer, use the client computer, use the GPUPDATE.EXEGPUPDATE.EXE command-line tool with the command-line tool with the /F/F[[orceorce]] option. option. This makes the computer download and This makes the computer download and update Group Policy locally (with any new update Group Policy locally (with any new modifications).modifications).

Use Group Policy to automatically enroll Use Group Policy to automatically enroll certificates for client computers. This is in certificates for client computers. This is in addition to other certificates needed by the addition to other certificates needed by the client (like the enterprise root certificate or client (like the enterprise root certificate or other third-party root certificates that the other third-party root certificates that the administrator wants to push down to the administrator wants to push down to the clients automatically through Group Policy).clients automatically through Group Policy).

1414

Setting up Group Policy Setting up Group Policy (3)(3)

Open the Active Directory Users and Open the Active Directory Users and Computers snap-in.Computers snap-in.

Locate an organizational unit (OU) Locate an organizational unit (OU) that you would like to have wireless that you would like to have wireless policy applied to, or create a new one policy applied to, or create a new one by right-clicking the domain name, by right-clicking the domain name, pointing to pointing to NewNew, and then clicking , and then clicking Organizational UnitOrganizational Unit..

Add computers that you would like to Add computers that you would like to apply the Group Policy to.apply the Group Policy to.

NoteNote Wireless Group Policy applies Wireless Group Policy applies only to computersonly to computers

1515

Setting up Group Policy Setting up Group Policy (4)(4)

Right-click the OU, and then click Right-click the OU, and then click PropertiesProperties. . TipTip You can make the policy domain wide by right- You can make the policy domain wide by right-

clicking the domain name. Check the links at the end clicking the domain name. Check the links at the end for additional information about Group Policy.for additional information about Group Policy.

Click the Click the Group PolicyGroup Policy tab. tab. Click Click NewNew.. Type the new name.Type the new name. Click Click EditEdit to start editing the policy. to start editing the policy.

1616

Setting up Group Policy Setting up Group Policy (5)(5)

Note You can also use new Group Policy Console Management GPMC, which works the same.Check links at the end of this WebCast for more information.

1717

Group PolicyGroup PolicyConfiguring 802.1X in GPConfiguring 802.1X in GP

Find the Wireless Network (IEEE Find the Wireless Network (IEEE 802.11) and right-click it.802.11) and right-click it.

Select Select Create Wireless Create Wireless Network PolicyNetwork Policy..

After the wizard is done, continue After the wizard is done, continue to edit properties.to edit properties.

1818

Group Policy Group Policy (2)(2)Configuring 802.1X in GPConfiguring 802.1X in GP

RecommendationRecommendation On the On the GeneralGeneral tab, tab, make sure to change the make sure to change the Networks to Networks to accessaccess list to list to Access point Access point (infrastructure) networks only(infrastructure) networks only..

This option will only push this SSID as the This option will only push this SSID as the default on your clients. (It will be added in the default on your clients. (It will be added in the Preferred Networks Preferred Networks list.)list.)

Wireless group policy is Wireless group policy is notnot exclusionary exclusionary technology; you cannot prevent users from technology; you cannot prevent users from connecting to other SSIDS.connecting to other SSIDS.

You can limit your clients to connect only to You can limit your clients to connect only to APs or ad hoc networks.APs or ad hoc networks.

Click the Click the Preferred NetworksPreferred Networks tab, and tab, and then click then click AddAdd..

1919

Group Policy Group Policy (3)(3)Configuring 802.1X in GPConfiguring 802.1X in GP

2020

Group Policy Group Policy (4)(4)Configuring 802.1X in GPConfiguring 802.1X in GP

Select the Service Set Identifier (SSID) of your Select the Service Set Identifier (SSID) of your network. Clients will default to this SSID when network. Clients will default to this SSID when presented with multiple SSIDs.presented with multiple SSIDs.

Add a description (optional).Add a description (optional). Leave the other default settings unchanged.Leave the other default settings unchanged.

2121

Group Policy Group Policy (5)(5)Configuring 802.1X in GPConfiguring 802.1X in GP

2222

Group Policy Group Policy (6)(6)Configuring 802.1X in GPConfiguring 802.1X in GP

Click the Click the IEEE 802.1XIEEE 802.1X tab.tab.

Select the appropriate Select the appropriate EAP type.EAP type.

Click Click SettingsSettings..

2323

Group Policy Group Policy (7)(7)Configuring 802.1X in GPConfiguring 802.1X in GP

Select EAP method’s Select EAP method’s additional additional configuration.configuration.

2424

Group Policy Group Policy (7)(7)Configuring 802.1X in GPConfiguring 802.1X in GP

RecommendationsRecommendations Always enable validate server certificate (to Always enable validate server certificate (to

make sure that the client authenticates the make sure that the client authenticates the server)server)

Always enable Fast Reconnect with PEAPAlways enable Fast Reconnect with PEAP Optionally, supply the names of your IAS servers Optionally, supply the names of your IAS servers

in the in the Connect to these serversConnect to these servers field. This will field. This will prevent the clients from connecting to rogue prevent the clients from connecting to rogue servers. Make sure that you specify the fully servers. Make sure that you specify the fully qualified domain name (FQDN) of the server as qualified domain name (FQDN) of the server as it appears in the server certificate.it appears in the server certificate.

Starting in Windows® XP SP2, this field is a regular Starting in Windows® XP SP2, this field is a regular expression, so if you want to accept servers in the expression, so if you want to accept servers in the Microsoft.com domain you type: ^.*\.microsoft\.com$Microsoft.com domain you type: ^.*\.microsoft\.com$

These settings are available on the client These settings are available on the client for individual client configuration.for individual client configuration.

2525

Server setupServer setup

Setting up the IAS serverSetting up the IAS server IAS is Microsoft implementation of RADIUS. IAS is Microsoft implementation of RADIUS.

RADIUS is one of the most popular RADIUS is one of the most popular authentication protocols.authentication protocols.

IAS is included in Windows 2000 Server and IAS is included in Windows 2000 Server and Windows Server 2003. Add IAS by using Windows Server 2003. Add IAS by using Add/Remove Windows ComponentsAdd/Remove Windows Components..

2626

Server setup Server setup (2)(2) There are some limitations in the There are some limitations in the

Standard Server IAS. There are 50 Standard Server IAS. There are 50 RADIUS clients and 2 server groupsRADIUS clients and 2 server groups

Windows Server 2003, Enterprise Edition and Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition do Windows Server 2003, Datacenter Edition do not have these limitationsnot have these limitations

Windows XP and Windows Server 2003, Web Windows XP and Windows Server 2003, Web Edition do not have IASEdition do not have IAS

Windows Small Business Server 2003, Windows Small Business Server 2003, Standard Edition has the standard server IASStandard Edition has the standard server IAS

IAS has been a component in Windows IAS has been a component in Windows since Windows NT® 4.0since Windows NT® 4.0

802.1X network support is available only 802.1X network support is available only in Windows 2000 Server IAS and in Windows 2000 Server IAS and Windows Server 2003 family IASWindows Server 2003 family IAS

2727

Server setupServer setupAuthentication methodsAuthentication methods

IAS supports many authentication IAS supports many authentication methods:methods: Extensible Authentication Protocol – Transport Extensible Authentication Protocol – Transport

Layer Security (EAP-TLS)Layer Security (EAP-TLS) This is a robust and secure protocol, used with This is a robust and secure protocol, used with

smart cards and certificatessmart cards and certificates EAP-TLS provides very high levels of security and EAP-TLS provides very high levels of security and

leverages the use of Public Key Infrastructure (PKI) leverages the use of Public Key Infrastructure (PKI) based on the widely accepted Secure Sockets based on the widely accepted Secure Sockets Layer (SSL) technologyLayer (SSL) technology

2828

Server setupServer setupAuthentication methods Authentication methods (2)(2)

PEAP-EAP-MSCHAPv2PEAP-EAP-MSCHAPv2 Protected EAP (PEAP) is also a very secure Protected EAP (PEAP) is also a very secure

authentication protocol. It has an internal protected authentication protocol. It has an internal protected authentication method that is flexible and easy to authentication method that is flexible and easy to deploy, without the need for client-side certificates.deploy, without the need for client-side certificates.

PEAP-EAP-TLSPEAP-EAP-TLS This authentication is the ultimate in security, This authentication is the ultimate in security,

providing a secured external channel for EAP-TLS to providing a secured external channel for EAP-TLS to be negotiated.be negotiated.

2929

Server setupServer setupAdvantages of EAP and PEAPAdvantages of EAP and PEAP

The main advantages of EAP and PEAP are that The main advantages of EAP and PEAP are that the Access Point (AP) becomes a pass-through for the Access Point (AP) becomes a pass-through for the authentication allowing the client to the authentication allowing the client to communicate directly with the server with little communicate directly with the server with little interference of the AP.interference of the AP.

EAP and PEAP allow the mutual authentication of EAP and PEAP allow the mutual authentication of client and server, where the client validates the client and server, where the client validates the server certificate to ensure its validity and server certificate to ensure its validity and authenticity, before connecting to the network. authenticity, before connecting to the network. NoteNote Mutual authentication is not done in all EAP Mutual authentication is not done in all EAP methods.methods.

3030

Server setupServer setupAdvantages of EAP and PEAP Advantages of EAP and PEAP (2)(2)

Combined with 802.1X, EAP and PEAP provide a Combined with 802.1X, EAP and PEAP provide a great framework for exchanging encryption keys great framework for exchanging encryption keys without resorting to static Wired Equivalent without resorting to static Wired Equivalent Privacy (WEP) for encryption. Privacy (WEP) for encryption.

Keys are provided to the AP and the client after Keys are provided to the AP and the client after successful authentication.successful authentication.

3131

Server setupServer setupServer configurationServer configuration

Before IAS can be set up for EAP/PEAP, the Before IAS can be set up for EAP/PEAP, the infrastructure for this must be in place. infrastructure for this must be in place.

Active Directory, DHCP, and Certificate Authority Active Directory, DHCP, and Certificate Authority all must be in place before IAS. We will discuss the all must be in place before IAS. We will discuss the basic setup of Active Directory and Certificate basic setup of Active Directory and Certificate Authority. DHCP and DNS are beyond the scope of Authority. DHCP and DNS are beyond the scope of this WebCastthis WebCast

3232

Server setupServer setupServer configuration Server configuration (2)(2)

Active Directory and Certificate Authority are Active Directory and Certificate Authority are optional for optional for onlyonly PEAP-EAP-MSCHAPv2, but are PEAP-EAP-MSCHAPv2, but are highly recommended for centralized highly recommended for centralized management. management.

Active Directory is also mandatory in the case of Active Directory is also mandatory in the case of computer authentication.computer authentication.

IAS can be deployed with a public domain IAS can be deployed with a public domain certificate that can be obtained from any public certificate that can be obtained from any public Certificate Authority.Certificate Authority.

3333

Server setupServer setupServer configuration Server configuration (3)(3)

Register IAS in Active DirectoryRegister IAS in Active Directory Log on to the IAS server as a domain Log on to the IAS server as a domain

administrator.administrator. Right-click the IAS root node, and then click Right-click the IAS root node, and then click

Register IAS in Active DirectoryRegister IAS in Active Directory.. This is a very important step. Without successfully This is a very important step. Without successfully

registering IAS, the server may not be able to look registering IAS, the server may not be able to look up users or get proper certificatesup users or get proper certificates

3434

Server setupServer setupServer configuration, add clientsServer configuration, add clients

Make sure that the Make sure that the client is a member of client is a member of the clients list.the clients list.

Confirm that the case-Confirm that the case-sensitive shared secret sensitive shared secret is correctly configured is correctly configured on IAS and Access on IAS and Access Server (802.1X capable Server (802.1X capable switch or Access Point).switch or Access Point).

Select a Select a strongstrong secret secret that is that is more thanmore than 1515 characters and characters and contains both alpha-contains both alpha-numeric and special numeric and special characters.characters.

3535

Server setupServer setupServer configuration, add Remote Access Server configuration, add Remote Access

PolicyPolicy Add an appropriate Remote Access Policy Add an appropriate Remote Access Policy

(RAP) to the IAS server(RAP) to the IAS server You may use the wizard or you can modify an You may use the wizard or you can modify an

existing policy.existing policy. RecommendationRecommendation Add Add Wireless Wireless

IEEE802.11IEEE802.11 and and Wireless-OtherWireless-Other to the to the NAS-Port-TypeNAS-Port-Type policy condition. You may policy condition. You may also add this as a dial-in constraint in the also add this as a dial-in constraint in the Remote Access Policy profile (double-click the Remote Access Policy profile (double-click the policy after you create it, and then click policy after you create it, and then click Edit Edit profileprofile to see the constraints). to see the constraints).

3636

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (2)(2)

You may use this setting with additional You may use this setting with additional conditions and constraints as long as they do conditions and constraints as long as they do not conflictnot conflict

RecommendationRecommendation When creating a policy, When creating a policy, make sure that you make it as restrictive as make sure that you make it as restrictive as possible, to make sure that only authorized possible, to make sure that only authorized users are allowed accessusers are allowed access

Use Windows Groups membership, date and time Use Windows Groups membership, date and time restrictions, and similar itemsrestrictions, and similar items

3737

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (3)(3)

3838

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (4)(4)

Condition versus constraintCondition versus constraint If a condition is met, that policy is invokedIf a condition is met, that policy is invoked The constraint is checked The constraint is checked afterafter the condition the condition

is metis met Use constraints to have better control over Use constraints to have better control over

users connecting, even if they are authorized users connecting, even if they are authorized to connectto connect

RecommendationRecommendation Always make your Always make your constraints as restrictive as possibleconstraints as restrictive as possible

3939

Server setupServer setupServer configuration, add RAP Server configuration, add RAP (5)(5)

Policy condition

Policy constraint

4040

Server setupServer setupServer configuration, authentication typesServer configuration, authentication types

Selecting the authentication typeSelecting the authentication type RecommendationRecommendation

Make sure that no other Make sure that no other authentication types authentication types are selectedare selected

4141

Server setupServer setupServer configuration, authentication types Server configuration, authentication types

(2)(2)

RecommendationRecommendation Make sure that you Make sure that you select only select only one EAPone EAP type. You can have type. You can have more, but try to be as restrictive as more, but try to be as restrictive as possible. As a general rule, have only ONE possible. As a general rule, have only ONE per policyper policy

4242

Server setupServer setupServer configuration, authentication types Server configuration, authentication types

(3)(3) If your CA infrastructure If your CA infrastructure is correctly configured, is correctly configured, you will see a certificate you will see a certificate issued to your computer. issued to your computer. If no suitable certificate is If no suitable certificate is found, authentication will found, authentication will notnot be successful. be successful.

RecommendationRecommendation Always enable fast Always enable fast reconnect if you are using reconnect if you are using PEAP. PEAP. Fast reconnectFast reconnect improves performance improves performance without sacrificing without sacrificing security. security.

4343

Server setupServer setupServer configurationServer configuration

Set up as many policies as required and Set up as many policies as required and make sure that they are as restrictive as make sure that they are as restrictive as possible.possible. There is no limitation for the number of There is no limitation for the number of

policies on IAS server.policies on IAS server. Policies are evaluated sequentially. The first Policies are evaluated sequentially. The first

one that matches is used and the rest are one that matches is used and the rest are ignored.ignored.

4444

Server setupServer setupServer configuration, connection request Server configuration, connection request

processingprocessing

Next, you must set up connection request Next, you must set up connection request processing. By default, IAS authenticates on the processing. By default, IAS authenticates on the local server (against Active Directory). You may local server (against Active Directory). You may proxy the authentication to a remote computer. proxy the authentication to a remote computer. Check the links at the end for setting up IAS Check the links at the end for setting up IAS proxy.proxy.

4545

TroubleshootingTroubleshooting

First step: Check the IAS server’s event logFirst step: Check the IAS server’s event log The event log will contain information for all The event log will contain information for all

authentications that take place. Make sure that authentications that take place. Make sure that you select both you select both Rejected authentication Rejected authentication requestsrequests and and Successful authentication Successful authentication requestsrequests on the IAS server properties page. on the IAS server properties page.

Right-click the root node in the IAS Snap-In, and then Right-click the root node in the IAS Snap-In, and then click click PropertiesProperties to see this page. to see this page.

4646

Troubleshooting Troubleshooting (2)(2)

4747

TroubleshootingTroubleshootingTrace logsTrace logs

When troubleshooting, always enable tracing:When troubleshooting, always enable tracing:NETSH RAS SET TRACING * ENABLEDNETSH RAS SET TRACING * ENABLED

When done troubleshooting, When done troubleshooting, alwaysalways disable disable tracing to eliminate additional overhead:tracing to eliminate additional overhead:NETSH RAS SET TRACING * DISABLEDNETSH RAS SET TRACING * DISABLED

Trace files are available under %Trace files are available under %windirwindir%\Tracing%\Tracing((windirwindir is the folder where Windows is installed) is the folder where Windows is installed)

4848

TroubleshootingTroubleshootingTrace logs Trace logs (2)(2)

Trace files are generated on the client and on the server.Trace files are generated on the client and on the server. Traces to look for on the client are RASTLS and RASCHAP. Traces to look for on the client are RASTLS and RASCHAP.

These depend on the authentication method being used. These depend on the authentication method being used. Additionally, they will give a rough idea about what is Additionally, they will give a rough idea about what is going on during the authentication process.going on during the authentication process.

Traces to look for on the IAS server are RASTLS, IASSAM, Traces to look for on the IAS server are RASTLS, IASSAM, and possibly RASCHAP when using PEAP-EAP-MSCHAPv2. and possibly RASCHAP when using PEAP-EAP-MSCHAPv2. These will also give a rough idea about what is going on These will also give a rough idea about what is going on during the authentication.during the authentication.

An unexplainable error or a failure that is written in the An unexplainable error or a failure that is written in the logs might mean that there has been a problem.logs might mean that there has been a problem.

4949

TroubleshootingTroubleshootingNetwork MonitorNetwork Monitor

Install Network MonitorInstall Network Monitor Network Monitor will help you sniff the Network Monitor will help you sniff the

RADIUS traffic and understand what is going RADIUS traffic and understand what is going onon

When doing 802.1X, all EAP payloads (inside When doing 802.1X, all EAP payloads (inside RADIUS) are encrypted.RADIUS) are encrypted.

Other RADIUS information might not be encrypted.Other RADIUS information might not be encrypted. Network Monitor is included with Network Monitor is included with

Windows Server 2003. Use Windows Server 2003. Use Add/Remove Add/Remove Windows ComponentsWindows Components (look under (look under Management and Monitoring Tools) to add Management and Monitoring Tools) to add Network Monitor.Network Monitor.

5050

TroubleshootingTroubleshootingThings to checkThings to check

Always check your connections:Always check your connections: Make sure that you can ping the APsMake sure that you can ping the APs Make sure that the firewall is not Make sure that the firewall is not

blocking trafficblocking traffic

5151

TroubleshootingTroubleshootingThings to check Things to check (2)(2)

Check that the IAS server has a valid certificate Check that the IAS server has a valid certificate (a valid certificate will be requested on behalf (a valid certificate will be requested on behalf of the computer if it has been added as a of the computer if it has been added as a member of the RAS and IAS servers group).member of the RAS and IAS servers group). If If Register Server in Active DirectoryRegister Server in Active Directory is is

unavailable and you still can’t find the IAS server in unavailable and you still can’t find the IAS server in the RAS and IAS servers group on the DC, you can the RAS and IAS servers group on the DC, you can add it manually.add it manually.

You can also specify an IAS server in the RAS and IAS You can also specify an IAS server in the RAS and IAS servers certificate template; click the servers certificate template; click the SecuritySecurity tab of tab of the Certificate template.the Certificate template.

5252

TroubleshootingTroubleshootingAsk the expertsAsk the experts

Visit the RADIUS newsgroup and post questions Visit the RADIUS newsgroup and post questions there to obtain help from the community. there to obtain help from the community. Additionally, many members of the IAS Additionally, many members of the IAS development team monitor and respond to development team monitor and respond to questions posted to the newsgroup. questions posted to the newsgroup. microsoft.public.internet.radiusmicrosoft.public.internet.radius

5353

TroubleshootingTroubleshootingIf you have to contact Product Support If you have to contact Product Support

ServicesServices

When you send a question to Product When you send a question to Product Support Services (PSS), provide:Support Services (PSS), provide: Network Monitor captures Network Monitor captures Trace logs from the client and the server to Trace logs from the client and the server to

help PSS identify the problemhelp PSS identify the problem A configuration dump, using the command-A configuration dump, using the command-

line command: line command: NETSH AAAA SHOW CONFIG > ConfigFile.TXTNETSH AAAA SHOW CONFIG > ConfigFile.TXT

A rough description of your networkA rough description of your network