aironet + RADIUS

[pysiok83]

Witam!
Mam skonfigurowanego RADIUSA na WIn 2008, z 2 polisami (jedna do autentyfikacji uzytkoników, którzy chcą się dostac do urządzenia, druga dla użytkoników, który chcą się dostac do wifi). Problem jest w ty, że userzy, którzy chca sie dostac do urządzenia mogą to zrobić. Odpalają putty i używając swoich poświadczeń domenowych mają dostęp do urządzeń. Problem jest z tymi, którzy chcą się dostać do SSID TST, który powinien również autentyfikować userów, którzy sa w grupie odpowiedniej. Jeśli są powinni sie połączyć z siecią.
Poniżej konfiguracja:

Kod: Zaznacz cały

aaa new-model
!
!
aaa group server radius RADSRV
 server x auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
 server x auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group RADSRV local
aaa authorization console
aaa authorization exec default group radius local
aaa authorization network default group RADSRV
aaa accounting send stop-record authentication failure
aaa accounting session-duration ntp-adjusted
aaa accounting update newinfo periodic 15
aaa accounting network default start-stop group RADSRV
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
dot11 mbssid
!
!
dot11 ssid TST
   vlan 24
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa optional
   accounting acct_methods
   mbssid guest-mode
power inline negotiation prestandard source
!
!
dot1x timeout reauth-period 300
username x
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 24 mode ciphers aes-ccm tkip wep128
 !
 !
 ssid TST
 !
 antenna transmit right
 antenna receive left
 antenna gain 8
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 channel 2412
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.24
 encapsulation dot1Q 24
 no ip route-cache
 bridge-group 24
 bridge-group 24 subscriber-loop-control
 bridge-group 24 block-unknown-source
 no bridge-group 24 source-learning
 no bridge-group 24 unicast-flooding
 bridge-group 24 spanning-disabled
!
interface GigabitEthernet0.24
 encapsulation dot1Q 24
 no ip route-cache
 bridge-group 24
 no bridge-group 24 source-learning
 bridge-group 24 spanning-disabled
!
interface BVI1
 ip address x
 no ip route-cache
!
ip default-gateway x
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1

line con 0
line vty 0 4
 login authentication eap_methods
line vty 5 15
 login authentication eap_methods

Problem dotyczy sieci TST. Kiedy próbuje się do niej z laptopa podłączyć w logach mam komunikat:

Sep 10 16:37:46: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 58c3.8b59.f071 Reason: Sending station has left the BSS
Sep 10 16:38:39: %DOT11-7-AUTH_FAILED: Station a088.b417.02b0 Authentication failed
Sep 10 16:39:23: %DOT11-7-AUTH_FAILED: Station a088.b417.02b0 Authentication failed




[quote][/quote]

Kod: Zaznacz cały

Kod: Zaznacz cały

[borekbp]

daj

Kod: Zaznacz cały

debug radius authentication

, bo 'Authentication failed ' to za mała informacja

[pysiok83]

Sep 12 12:10:27.100: RADIUS/ENCODE(000004E2):Orig. component type = DOT11
Sep 12 12:10:27.100: RADIUS: AAA Unsupported Attr: ssid [265] 3
Sep 12 12:10:27.100: RADIUS: 54 [T]
Sep 12 12:10:27.100: RADIUS: AAA Unsupported Attr: interface [157] 4
Sep 12 12:10:27.100: RADIUS: 31 34 [14]
Sep 12 12:10:27.100: RADIUS(000004E2): Config NAS IP: 10.12.0.41
Sep 12 12:10:27.100: RADIUS/ENCODE(000004E2): acct_session_id: 1250
Sep 12 12:10:27.100: RADIUS(000004E2): Config NAS IP: 10.12.0.41
Sep 12 12:10:27.100: RADIUS(000004E2): sending
Sep 12 12:10:27.100: RADIUS(000004E2): Send Access-Request to 192.168.101.22:1812 id 1645/45, len 186
Sep 12 12:10:27.100: RADIUS: authenticator 1D AF 5F B6 0E 8D 37 CC - 21 C8 83 D8 D8 CF A0 28
Sep 12 12:10:27.100: RADIUS: User-Name [1] 32 "host/x.y.z"
Sep 12 12:10:27.100: RADIUS: Framed-MTU [12] 6 1400
Sep 12 12:10:27.100: RADIUS: Called-Station-Id [30] 16 "6400.f186.fbb3"
Sep 12 12:10:27.100: RADIUS: Calling-Station-Id [31] 16 "a088.b417.02b0"
Sep 12 12:10:27.100: RADIUS: Service-Type [6] 6 Login [1]
Sep 12 12:10:27.100: RADIUS: Message-Authenticato[80] 18
Sep 12 12:10:27.100: RADIUS: 53 AE 65 A9 D7 C9 81 34 0E 29 2D 9B E0 4E 44 6C [S?e????4?)-??NDl]
Sep 12 12:10:27.100: RADIUS: EAP-Message [79] 37
Sep 12 12:10:27.100: RADIUS: 02 02 00 23 01 68 6F 73 74 2F 49 4D 53 4E 42 31 [???#?x/y]
Sep 12 12:10:27.100: RADIUS: 32 31 32 39 2E 69 6D 73 67 72 6F 75 70 2E 6C 6F [yy.z.z]
Sep 12 12:10:27.100: RADIUS: 63 61 6C [zz]
Sep 12 12:10:27.100: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Sep 12 12:10:27.100: RADIUS: NAS-Port [5] 6 1497
Sep 12 12:10:27.100: RADIUS: NAS-Port-Id [87] 6 "1497"
Sep 12 12:10:27.100: RADIUS: NAS-IP-Address [4] 6 10.12.0.41
Sep 12 12:10:27.100: RADIUS: Nas-Identifier [32] 11 "zzzz"
Sep 12 12:10:27.104: RADIUS: Received from id 1645/45 192.168.z.z:1812, Access-Reject, len 44
Sep 12 12:10:27.104: RADIUS: authenticator 4F EA C1 A8 19 B8 AE BD - 9C 65 68 5B A7 1D C5 0C
Sep 12 12:10:27.104: RADIUS: EAP-Message [79] 6
Sep 12 12:10:27.104: RADIUS: 04 02 00 04 [????]
Sep 12 12:10:27.104: RADIUS: Message-Authenticato[80] 18
Sep 12 12:10:27.104: RADIUS: DE 43 0C 0F 70 03 E2 E0 C3 AB 23 20 B5 1D 06 2B [?C??p?????# ???+]
Sep 12 12:10:27.104: RADIUS(000004E2): Received from id 1645/45
Sep 12 12:10:27.104: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Sep 12 14:10:27: %DOT11-7-AUTH_FAILED: Station a088.b417.02b0 Authentication failed
Sep 12 12:10:27.928: RADIUS/ENCODE(000004E3):Orig. component type = DOT11
Sep 12 12:10:27.928: RADIUS: AAA Unsupported Attr: ssid [265] 3
Sep 12 12:10:27.928: RADIUS: 54 [T]
Sep 12 12:10:27.928: RADIUS: AAA Unsupported Attr: interface [157] 4
Sep 12 12:10:27.928: RADIUS: 31 34 [14]
Sep 12 12:10:27.928: RADIUS(000004E3): Config NAS IP: 10.12.0.41
Sep 12 12:10:27.928: RADIUS/ENCODE(000004E3): acct_session_id: 1251
Sep 12 12:10:27.928: RADIUS(000004E3): Config NAS IP: 10.12.0.41
Sep 12 12:10:27.928: RADIUS(000004E3): sending
Sep 12 12:10:27.928: RADIUS(000004E3): Send Access-Request to 192.168.101.22:1812 id 1645/46, len 184
Sep 12 12:10:27.928: RADIUS: authenticator 7C 7B 18 1B 72 6E 22 63 - DD A1 D3 F2 A7 65 0B 10
Sep 12 12:10:27.928: RADIUS: User-Name [1] 31 "x\user"
Sep 12 12:10:27.928: RADIUS: Framed-MTU [12] 6 1400
Sep 12 12:10:27.928: RADIUS: Called-Station-Id [30] 16 "6400.f186.fbb3"
Sep 12 12:10:27.928: RADIUS: Calling-Station-Id [31] 16 "a088.b417.02b0"
Sep 12 12:10:27.928: RADIUS: Service-Type [6] 6 Login [1]
Sep 12 12:10:27.928: RADIUS: Message-Authenticato[80] 18
Sep 12 12:10:27.928: RADIUS: 3F F2 F5 BA 11 71 24 D7 B1 BA AB 1C 76 A5 40 52 [?????q$?????v?@R]
Sep 12 12:10:27.928: RADIUS: EAP-Message [79] 36
Sep 12 12:10:27.928: RADIUS: 02 02 00 22 01 49 4D 53 47 52 4F 55 50 5C 72 61 [???"?x\us]
Sep 12 12:10:27.928: RADIUS: 64 6F 73 6C 61 77 2E 73 74 61 72 63 7A 65 77 73 [er]
Sep 12 12:10:27.928: RADIUS: 6B 69 [r]
Sep 12 12:10:27.928: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Sep 12 12:10:27.928: RADIUS: NAS-Port [5] 6 1498
Sep 12 12:10:27.928: RADIUS: NAS-Port-Id [87] 6 "1498"
Sep 12 12:10:27.928: RADIUS: NAS-IP-Address [4] 6 10.12.0.41
Sep 12 12:10:27.928: RADIUS: Nas-Identifier [32] 11 "zzz"
Sep 12 12:10:27.940: RADIUS: Received from id 1645/46 192.168.101.22:1812, Access-Reject, len 44
Sep 12 12:10:27.940: RADIUS: authenticator D8 95 61 54 30 B1 FE FC - EA 53 67 A1 10 A4 D7 27
Sep 12 12:10:27.940: RADIUS: EAP-Message [79] 6
Sep 12 12:10:27.940: RADIUS: 04 02 00 04 [????]
Sep 12 12:10:27.940: RADIUS: Message-Authenticato[80] 18
Sep 12 12:10:27.940: RADIUS: 4C FA B4 3A 28 54 61 77 3B 79 2C AE 26 D3 D7 92 [L??:(Taw;y,?&???]
Sep 12 12:10:27.940: RADIUS(000004E3): Received from id 1645/46
Sep 12 12:10:27.940: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Sep 12 12:10:30.568: RADIUS/ENCODE(000004E8):Orig. component type = DOT11
Sep 12 12:10:30.568: RADIUS: AAA Unsupported Attr: ssid [265] 3
Sep 12 12:10:30.568: RADIUS: 54 [T]
Sep 12 12:10:30.568: RADIUS: AAA Unsupported Attr: interface [157] 4
Sep 12 12:10:30.568: RADIUS: 31 35 [15]
Sep 12 12:10:30.568: RADIUS(000004E8): Config NAS IP: 10.12.0.41
Sep 12 12:10:30.568: RADIUS/ENCODE(000004E8): acct_session_id: 1256
Sep 12 12:10:30.568: RADIUS(000004E8): Config NAS IP: 10.12.0.41
Sep 12 12:10:30.568: RADIUS(000004E8): sending
Sep 12 12:10:30.568: RADIUS(000004E8): Send Access-Request to 192.168.101.22:1812 id 1645/47, len 184
Sep 12 12:10:30.568: RADIUS: authenticator E8 5F 28 D4 F4 86 A1 F3 - D0 BC BE 94 EA A5 94 9A
Sep 12 12:10:30.568: RADIUS: User-Name [1] 31 "z\user"
Sep 12 12:10:30.568: RADIUS: Framed-MTU [12] 6 1400
Sep 12 12:10:30.568: RADIUS: Called-Station-Id [30] 16 "6400.f186.fbb3"
Sep 12 12:10:30.568: RADIUS: Calling-Station-Id [31] 16 "a088.b417.02b0"
Sep 12 12:10:30.568: RADIUS: Service-Type [6] 6 Login [1]
Sep 12 12:10:30.568: RADIUS: Message-Authenticato[80] 18
Sep 12 12:10:30.568: RADIUS: 4B BD 4E 80 B8 5A FB 1E 68 E1 75 2B 95 AE 25 B6 [K?N??Z??h?u+????]
Sep 12 12:10:30.568: RADIUS: EAP-Message [79] 36
Sep 12 12:10:30.568: RADIUS: 02 02 00 22 01 49 4D 53 47 52 4F 55 50 5C 72 61 [???"?z\u]
Sep 12 12:10:30.568: RADIUS: 64 6F 73 6C 61 77 2E 73 74 61 72 63 7A 65 77 73 [se]
Sep 12 12:10:30.568: RADIUS: 6B 69 [r]
Sep 12 12:10:30.568: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Sep 12 12:10:30.568: RADIUS: NAS-Port [5] 6 1503
Sep 12 12:10:30.568: RADIUS: NAS-Port-Id [87] 6 "1503"
Sep 12 12:10:30.568: RADIUS: NAS-IP-Address [4] 6 10.12.0.41
Sep 12 12:10:30.568: RADIUS: Nas-Identifier [32] 11 "zzzz"
Sep 12 12:10:30.572: RADIUS: Received from id 1645/47 192.168.z.z:1812, Access-Reject, len 44
Sep 12 12:10:30.572: RADIUS: authenticator 8F 10 3B 2B 39 F8 DE 5C - EF 7B 03 E2 48 02 58 9A
Sep 12 12:10:30.572: RADIUS: EAP-Message [79] 6
Sep 12 12:10:30.572: RADIUS: 04 02 00 04 [????]
Sep 12 12:10:30.572: RADIUS: Message-Authenticato[80] 18
Sep 12 12:10:30.572: RADIUS: 75 3D 9C 0A E0 19 C5 E4 9F 96 E6 55 B8 10 E7 A2
Sep 12 12:10:30.572: RADIUS(000004E8): Received from id 1645/47
Sep 12 12:10:30.572: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

[borekbp]

w debugu przewala się 'Access-Reject' zwrócony z radiusa... używasz NPS'a? jesteś pewien, że na nim wszystko jest ok? może jakieś logi na radiusie?

[pysiok83]

Tak - uzywam NPS'a

Poniżej logi z serwera:

<Event><Timestamp data_type="4">09/13/2012 16:48:15.849</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">host/IMSNB12129.domena.local</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">6400.f186.fbb3</Called-Station-Id><Calling-Station-Id data_type="1">a088.b417.02b0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">3513</NAS-Port><NAS-Port-Id data_type="1">3513</NAS-Port-Id><NAS-IP-Address data_type="3">10.12.0.41</NAS-IP-Address><NAS-Identifier data_type="1">IMSAP1202</NAS-Identifier><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">domena\IMSNB12129$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">domena\IMSNB12129$</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 1</Class><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:48:15.849</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 1</Class><Authentication-Type data_type="0">5</Authentication-Type><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Fully-Qualifed-User-Name data_type="1">domena\IMSNB12129$</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">domena\IMSNB12129$</SAM-Account-Name><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">22</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:48:16.599</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">domena\user</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">6400.f186.fbb3</Called-Station-Id><Calling-Station-Id data_type="1">a088.b417.02b0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">3514</NAS-Port><NAS-Port-Id data_type="1">3514</NAS-Port-Id><NAS-IP-Address data_type="3">10.12.0.41</NAS-IP-Address><NAS-Identifier data_type="1">IMSAP1202</NAS-Identifier><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">domena\user</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">domena\user</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 2</Class><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:48:16.599</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 2</Class><Authentication-Type data_type="0">5</Authentication-Type><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Fully-Qualifed-User-Name data_type="1">domena\user</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">domena\user</SAM-Account-Name><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">22</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:48:18.787</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">domena\user</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">6400.f186.fbb3</Called-Station-Id><Calling-Station-Id data_type="1">a088.b417.02b0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">3517</NAS-Port><NAS-Port-Id data_type="1">3517</NAS-Port-Id><NAS-IP-Address data_type="3">10.12.0.41</NAS-IP-Address><NAS-Identifier data_type="1">IMSAP1202</NAS-Identifier><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">domena\user</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">domena\user</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 3</Class><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:48:18.787</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 3</Class><Authentication-Type data_type="0">5</Authentication-Type><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Fully-Qualifed-User-Name data_type="1">domena\user</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">domena\user</SAM-Account-Name><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">22</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:54:52.195</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">user</User-Name><NAS-Port data_type="0">1</NAS-Port><NAS-Port-Id data_type="1">tty1</NAS-Port-Id><NAS-Port-Type data_type="0">5</NAS-Port-Type><Calling-Station-Id data_type="1">192.168.112.102</Calling-Station-Id><NAS-IP-Address data_type="3">10.12.0.41</NAS-IP-Address><NAS-Identifier data_type="1">IMSAP1202</NAS-Identifier><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">domena\user</SAM-Account-Name><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">NETWORK_EQUIPMENT_ACCESS</NP-Policy-Name><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 4</Class><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><Fully-Qualifed-User-Name data_type="1">domena.local/IMS Poland/Users/Starczewski Radosław</Fully-Qualifed-User-Name><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:54:52.195</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 4</Class><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><Fully-Qualifed-User-Name data_type="1">domena.local/IMS Poland/Users/Starczewski Radosław</Fully-Qualifed-User-Name><Service-Type data_type="0">1</Service-Type><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">domena\user</SAM-Account-Name><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">NETWORK_EQUIPMENT_ACCESS</NP-Policy-Name><Cisco-AV-Pair data_type="1">shell:priv-lvl=15</Cisco-AV-Pair><Packet-Type data_type="0">2</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:56:57.322</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">host/IMSNB12129.domena.local</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">6400.f186.fbb3</Called-Station-Id><Calling-Station-Id data_type="1">a088.b417.02b0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">3522</NAS-Port><NAS-Port-Id data_type="1">3522</NAS-Port-Id><NAS-IP-Address data_type="3">10.12.0.41</NAS-IP-Address><NAS-Identifier data_type="1">IMSAP1202</NAS-Identifier><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">domena\IMSNB12129$</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">domena\IMSNB12129$</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 5</Class><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:56:57.322</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 5</Class><Authentication-Type data_type="0">5</Authentication-Type><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Fully-Qualifed-User-Name data_type="1">domena\IMSNB12129$</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">domena\IMSNB12129$</SAM-Account-Name><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">22</Reason-Code></Event>
<Event><Timestamp data_type="4">09/13/2012 16:56:58.072</Timestamp><Computer-Name data_type="1">IMSSRV1202</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">domena\user</User-Name><Framed-MTU data_type="0">1400</Framed-MTU><Called-Station-Id data_type="1">6400.f186.fbb3</Called-Station-Id><Calling-Station-Id data_type="1">a088.b417.02b0</Calling-Station-Id><Service-Type data_type="0">1</Service-Type><NAS-Port-Type data_type="0">19</NAS-Port-Type><NAS-Port data_type="0">3523</NAS-Port><NAS-Port-Id data_type="1">3523</NAS-Port-Id><NAS-IP-Address data_type="3">10.12.0.41</NAS-IP-Address><NAS-Identifier data_type="1">IMSAP1202</NAS-Identifier><Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address><Client-Vendor data_type="0">9</Client-Vendor><Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">domena\user</SAM-Account-Name><Fully-Qualifed-User-Name data_type="1">domena\user</Fully-Qualifed-User-Name><EAP-Friendly-Name data_type="1"></EAP-Friendly-Name><Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 6</Class><Authentication-Type data_type="0">5</Authentication-Type><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

[borekbp]

Kod: Zaznacz cały

<Event>

<Timestamp data_type="4">09/13/2012 16:48:15.849</Timestamp>
<Computer-Name data_type="1">IMSSRV1202</Computer-Name>
<Event-Source data_type="1">IAS</Event-Source>
<Class data_type="1">311 1 192.168.101.22 09/13/2012 14:48:04 1</Class>
<Authentication-Type data_type="0">5</Authentication-Type>
<EAP-Friendly-Name data_type="1"></EAP-Friendly-Name>
<Fully-Qualifed-User-Name data_type="1">domena\IMSNB12129$</Fully-Qualifed-User-Name>
<SAM-Account-Name data_type="1">domena\IMSNB12129$</SAM-Account-Name>
<Client-IP-Address data_type="3">10.12.0.41</Client-IP-Address>
<Client-Vendor data_type="0">9</Client-Vendor>
<Client-Friendly-Name data_type="1">IMSAP1202</Client-Friendly-Name>
<Proxy-Policy-Name data_type="1">Secure Wireless Connections</Proxy-Policy-Name>
<Provider-Type data_type="0">1</Provider-Type>
<Packet-Type data_type="0">3</Packet-Type>
<Reason-Code data_type="0">22</Reason-Code>

</Event> 

najważniejsze to te dwie ostatnie informacje

Kod "22" oznacza:

Network Policy Server was unable to negotiate the use of an Extensible Authentication Protocol (EAP) type with the client computer

link

[Pjotrus]

Jak wygląda Twoja polityka na NPS'ie (zakładka Constraints). Masz wybraną opcję Authentication Method PAP, SPAP czy coś innego?

[pysiok83]

Konfig jak w załaczniku:

http://www.freeimagehosting.net/xbgpa

Dziwne, że na urządzenie się loguje za pomocą radiusa.

[Pjotrus]

Pokaż jeszcze "conditions" i "settings" tej polityki. Informacje są poniżej po zaznaczeniu tego profilu.

[pysiok83]

Ustawienia polisy:
http://www.freeimagehosting.net/lojqc

Ustawienia, o które prosiłeś:
http://www.freeimagehosting.net/lgxmx
PS Dodałem jeszcze w samych ustawieniach 3 pozycje, jednak problem pozostaje (kiedy na kliencie win7 łącze się do SSID, który ma w oparciu o radiusa sprawdzic czy dany klient jest w grupie wifi na AD, jeśli tak to ma go połączyć z ssid, user oczywiście jest w grupie, grupa jest dodana w polisie a mimio wszytko nie mogę się połaczyć z ssid) http://www.freeimagehosting.net/hs7by

Dodatkowo zamieszczam jeszcze ustawienia polisy, która działa bez problemu ponieważ za jej pomoca autentyfikuje się kiedy loguje się przez telnet do CLI AP
http://www.freeimagehosting.net/ea8rx

[Pjotrus]

Mam parę podobnych konfiguracji jak Twoja i generalnie na NPS'ie mam zaznaczone:
http://www.freeimagehosting.net/ztfbz

I to z powodzeniem wystarczy.

Możesz jeszcze w ustawieniu tego SSID (jeżeli to np Win) sprawdzić - zakładka zabezpieczenia/PEAP i odznacz opcję "Weryfikuj certyfikat serwera" - tutaj metoda uwierzytelnienia EAP-MSCHAPv2. Czy przy połączeniu do sieci podajesz hasło czy brane z automatu te poświadczenia, którymi jesteś aktualnie do stacji zalogowany (w tym oknie jest jeszcze opcja Konfiguruj - Automatycznie....) ?

Jak jesteś zapięty do stacji domenowo i te poświadczenia są używane do logowania to warto to zaznaczyć - nie będzie problemu po zmianie hasła. Chyba, że wykorzystywane są inne - to już od Ciebie zależy.

[pysiok83]

W konfigu masz w pierwszej linii jakiś "Exthensibe Authentication Protocol Conf." Co to takiego? Jest to potrzebne?
W zabezpieczeniu SSID w Win próbowałem z róznymi ustawieniami. Generalnie zawsze brałem, żeby certyfikat był odznaczony. Autentyfikacja jest ustawiona, login i hasło lub identyfikator komputera. Jednak w celu weryfikacji czasem ustawiałem, żeby ręcznie login i hasło wpisać i nic nie dało. Teraz biore hasła i loginu z konta stacji, na którym jestem zalogowany. W logach widze, że pobiera dobre dane.
Czy masz jeszcze jakiś pomysł?

PS znalazłem post z podonym problemem. https://supportforums.cisco.com/thread/2130310. Na samym końcu gość coś pisze o odnowieniu certyfikató na serwerze, że to rozwiązało problem.
PS1 czy mógłbyś mi ewentulanie przesłać swój konfig AP Cisco?

[Pjotrus]

Problem jest raczej gdzieś po stronie NPS'a. Ciężko mi odpowiedzieć co tam może być nie tak. Sprawdź jeszcze w logach NPS'a w którą politykę masz hit'y. Świerze logi Ci się odłożą jak zrestartujesz NPS'a. Po mojej stronie w zakładce Constraints/Authentication Method mam PEAP'a (EAP Types), w jego właściwościach mam wybrany certyfikat kontrolera domeny i eap tapes mam eap-mschapv2 - i tyle.

[pysiok83]

Niestety w dodanym EAP nie mogę zmienić właściwości. Chyba, że to ty inaczej robisz. Możesz mi dokładnie opisać gdzie masz te właściwości? Czy muszę dodać serwer certyfikatów jako rola?

[Pjotrus]

Jeżeli nie masz tej opcji dostępnej to pewnie nie masz certyfikatu na kontrolerze. Postaw CA i i zrób request'a - na technecie znajdziesz "how to". U mnie to wygląda z grubsza tak:
http://www.freeimagehosting.net/pn5a7