Environment:
Wireless PEAP with Windows Active Directory domain authentication is configured. (see http://www.techrepublic.com/article/ultimate-wireless-security-guide-an-introduction-to-peap-authentication/6148543 for the setup detail).
Windows Server 2003 with a self-signed digital certificate as the RADIUS server.
Wireless access managed by the Active Directory “WiFi Users” security group.
Access Point: Cisco WAP4410N with firmware 2.0.5.3
Access Point Configuration:
- Discovery (By Bonjour): Enabled
- Wireless Security Mode: WPA2-Enterprise Mixed (WPA Algorithm: TKIP or AES)
- Primary RADIUS Server: Windows Server 2003 RADIUS server IP address
- Primary RADIUS Server Port: 1812
- Wireless Connection Control (MAC address filter): Disabled
Problem:
The users in the Active Directory “WiFi Users” security group were able to authenticate and access the wireless with the wireless devices (iPhone, iPad, Windows Phone 7.5, Windows XP with SP3, Windows 7, MAC OS X, etc) configured with the PEAP authentication. One day in August 2012, the Windows Server 2003 RADIUS server was updated with the latest Microsoft security updates. Then, only iOS devices (maybe MAC OS X too) can authenticate and access the wireless; all Windows based devices keep getting the connection failure even the configuration and authentication are correct.
Troubleshoot:
The RADIUS server System log shows a warning from source IAS, event ID 2. The user was denied access; Reason-Code = 266; Reason = The message received was unexpected or badly formatted.
Solution:
The scenario 2 in the KB article (http://support.microsoft.com/kb/933430) matches this issue. Use method 3 in the KB article resolved the problem.
