Environment:
Wireless PEAP with Windows Active Directory domain authentication is configured. (see http://www.techrepublic.com/article/ultimate-wireless-security-guide-an-introduction-to-peap-authentication/6148543 for the setup detail).
Windows Server 2003 with a self-signed digital certificate as the RADIUS server.
Wireless access managed by the Active Directory “WiFi Users” security group.
Access Point: Cisco WAP4410N with firmware 2.0.5.3
Access Point Configuration:
- Discovery (By Bonjour): Enabled
- Wireless Security Mode: WPA2-Enterprise Mixed (WPA Algorithm: TKIP or AES)
- Primary RADIUS Server: Windows Server 2003 RADIUS server IP address
- Primary RADIUS Server Port: 1812
- Wireless Connection Control (MAC address filter): Disabled
Problem:
The users in the Active Directory “WiFi Users” security group were able to authenticate and access the wireless with the wireless devices (iPhone, iPad, Windows Phone 7.5, Windows XP with SP3, Windows 7, MAC OS X, etc) configured with the PEAP authentication. One day in August 2012, the Windows Server 2003 RADIUS server was updated with the latest Microsoft security updates. Then, only iOS devices (maybe MAC OS X too) can authenticate and access the wireless; all Windows based devices keep getting the connection failure even the configuration and authentication are correct.
Troubleshoot:
The RADIUS server System log shows a warning from source IAS, event ID 2. The user was denied access; Reason-Code = 266; Reason = The message received was unexpected or badly formatted.
Solution:
The scenario 2 in the KB article (http://support.microsoft.com/kb/933430) matches this issue. Use method 3 in the KB article resolved the problem.
Yesterday our two Server 2008 R2 RADIUS servers stopped authenticating Windows clients with this very problem after some updates.
ReplyDeleteThe solution above fixed it for us.
Thanks Eddie, that was an awkward hour or two for me at work.
I just had the same issue on a new wireless network I'm setting with a 2008 R2 RADIUS Server. I was testing with a MacBook and it was a working fine. Then I went to test with a Windows 7 laptop from one of the users and couldn't connect.
ReplyDeleteIt took me a couple hours to find this, but the same solution worked for me. Adding that registry key solved the problem.
I had issue and have been searching for two days for the fix. Solution #3 on that KB article did the trick. Thanks!
ReplyDeleteThanks, this helped me as well. After some security updates Windows clients failed to authenticate to wifi (while ios and Win Mobile devices continued to work).
ReplyDelete