WiFi Settings via GPO not working ... - [WP]

I am testing IAS/RADIUS Windows 2003 user authentication via WiFi Cisco
Access Points. Using the User and Machine cetificates using our own CA with
WPA2.

Test XPSP2 notebooks connects using wifi - no issues at all.

Now we have around 300 notebook users whom we want to give wifi access so
they can get authenticated by AD using the IAS/RADIUS. So I cannot go to each
machine and configure the wireless client settings ... so I decided to push
out the clients site wifi settings using a GPO and it pushs it fine .... no
issues ......

Here is the issue now .....

The client side wifi settings when pushed by the GPO to the notebooks don't
worky/connect to wifi AP at all. I see the network name and I click on it,
nothing happens no error at all.

Then I disable the GPO and wait for a minute or so ..... then all works fine.

It seems the client side settings do not like it via the GPO.

Any ideas.... whats going on here ... I am not going machine to machine to
change wifi settings???

What version certificate template did you created? What OS version is the CA
installed on? Did you make sure the client (user and machine) received a
cert while on the wire before trying it wirelessly?

btw - This question is better suited for the
microsoft.public.security.crypto and the windows.public.security newsgroups.
I cross posted it for your convenience. Just check back here for responses.

Thanks for you response and cross post.

The PC has both machine and user certs.
Running Windows 2003 Enterp version CA.

Any other ideas?

I asked about the server OS type because that is the major cause of not
using the right type of cert. Good to hear it is an Enterprise Edition
you're using.

My initial feeling is either the cert is misconfigured, the GPO is
misoncfigured, or the cert is not being passed from the AP to IAS
correctly,or IAS is not recognizing the cert. This is just a hunch based on
what you've posted.

Have you configured IAS logging to see if it is on that end?
How about the AP's logs? What do they tell you?
How about in IAS' event logs? Anything up on that end?
Is IAS on a DC? if not, did you install the necessary cert on the IAS box?

There are a couple of IAS free log viewers available:

Download Ias Log Viewer Software: ACAD DWG Viewer, DWGSee AutoCAD ...Free
ias log viewer downloads - Collection of ias log viewer freeware, shareware
download - GetDiz, DWGSee DWG Viewer Pro, DWGSee Pro ...
http://www.filebuzz.com/findsoftware..._viewer/1.html

Download IAS Log ViewerDownload the latest version of IAS Log Viewer free.
The IAS Log Viewer program helps read and interpret the log files from
Windows 2000 Routing and Remote ...
http://www.findmysoft.com/scripts/IA...-download.html

However, it's difficult to pinpoint because there are numerous factors
involved, including Cisco to IAS RADIUS configuration, the Cisco AP setup
itself to accept certs, if you have the cert installed for IAS, if you chose
the correct certificate template to create the necessary machine
identification and/or user identification cert, how you setup that portion
in the AP, etc. Honestly, with the numerous factors involved, it is
difficult to pinpoint where the issue is. It doesn;t really matter of the
laptop can connect without the cert, because the problem is getting the cert
to identifiy either the user and/or computer, depending on how you setup the
cert, the wireless GPO, if the AP SSIDs are correct in the GPO, etc.

The last time I set this up, it took me a week to get it to work, in between
other tasks I was doing. I had to also open a ticket to Cisco for assistance
with the 1231 AP I used to get it to work.

My suggestion is to to test it with first a user cert, then once you get
that working, test it with a machine cert. Once you get that working,
combine them, that is if it is your intention to use both authentication
factors. I find that user cert authentication is secure enough, but of
course if you need the extra protection, I can understand.

You won't have to go machine to machine. Just create a test OU with your
wireless GPO and test it only on that laptop.

See if the following notes/link help. As you can see with all the links, I
went through a similar process and had to do alot of research besides asking
for Cisco's help to get it to work.

==================================================================================================== ==
Wireless WPA2 GPO

The Schema must be extended to support it under AD. Sorry I didn't mention
that crucial step even with SP3!

Active Directory Schema Extensions for Windows Vista Wireless and Wired
Group Policy Enhancements
http://technet.microsoft.com/en-us/l.../bb727029.aspx

Config WPA2 in a GPO
http://episteme.arstechnica.com/eve/...m/541002053831

The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services
Information Element (WPS IE) update for Windows XP with Service Pack 2 is
available
http://support.microsoft.com/kb/893357

Description of the Wireless Client Update for Windows XP with Service Pack 2
http://support.microsoft.com/?kbid=917021

Request a certificate
http://technet.microsoft.com/en-us/l.../cc784473.aspx

Submit a user certificate request via the Web to a Windows Server 2003 CA
http://technet.microsoft.com/en-us/l.../cc783058.aspx

Configure Certificate Autoenrollment
http://technet.microsoft.com/en-us/l.../cc731522.aspx

AD CS Step-By-Step Guide (about setting up a CA with wireless and
autoenrollment):
http://www.microsoft.com/DOWNLOADS/d...displaylang=en

Advanced Certificate Enrollment and Management
http://www.microsoft.com/technet/pro...y/advcert.mspx

Certificate Autoenrollment in Windows Server 2003:
http://www.microsoft.com/technet/pro.../autoenro.mspx

Selecting Certificate Templates Public Key (need enterprise to make
autoenrollment work):
http://www.microsoft.com/technet/pro...0d0ef4e9a.mspx

Configure a certificate template for client autoenrollment:
http://technet2.microsoft.com/Window...00a8e1033.mspx

==================================================================================================== ==

Its working now .... I had to create a seperate OU for users and applied the
GPO there.

If I apply the GPO at the top level to my domain it does not work.

Wee, that is good to hear that is was simply where to place the GPO. I have
never tried putting it at the domain level. Anytime I've ever created GPOs,
I've never set it at the domain, because it affects everything, including
DCs. I would rather place them specifically where I wanted them to apply. As
far as why it didn't work at that level, not sure.

were you able to get it to work with both user & machine cert on cisco WiSM
(or WLC)?

other than using user GPO, was anything else done?

Care to share any resource you find useful in setting up in MS & cisco side?

I only set it up for user certificates, not machine. You could go one step
further for the machine certificate to insure only authorized machines with
a user account that has a certificate. Keep in mind, whether you go with
just a user cert, or both, the certs have to be preinstalled while on the
'wire.'