Need help configuring Wireless Connection profile

[Guest]

I have an SBS 2003 server and a Server 2003 member server set up using RADIUS
authentication and WPA2 encryption. From my laptop, I can connect using the
Intel PROSet Wireless Utility, but not the Windows Wireless Utility. Btw,
my laptop is not joined to the domain so it’s only using a user based
certificate.

I have two questions:

1 What do I need to do to get the Windows Utility to connect?
2 If I get randomly disconnected, and quite often using the Intel software
would I be right in suspecting the cause may be my access point not fully
supporting the WPA2 + RADIUS configuration? My servers aren't logging
anything regarding the disconnects.

I have included my complete Wireless Setup so hopefully this will help
pinpoint the issue.

My IAS log looks like this:
192.168.16.177,LRG\ryanv,10/10/2006,13:18:29,IAS,PIRANHA,4128,D-Link
DI-524,4,192.168.16.177,5,0,30,00-11-95-75-ac-02,31,00-12-f0-4b-ff-22,32,DI-524,12,1380,61,19,4108,192.168.16.177,4116,0,4155,1,4154,Use
Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,25,311 1 192.168.17.111 10/10/2006 15:16:36 308,4132,Secured password
(EAP-MSCHAP v2),4127,11,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4136,1,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:18:29,IAS,PIRANHA,4128,D-Link
DI-524,25,311 1 192.168.17.111 10/10/2006 15:16:36 308,4132,Secured password
(EAP-MSCHAP
v2),4127,11,8100,1,4108,192.168.16.177,4116,0,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4155,1,4154,Use Windows authentication for all
users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,6,2,4294967207,2,4294967206,4,4136,2,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:18:55,IAS,PIRANHA,4128,D-Link
DI-524,4,192.168.16.177,5,0,30,00-11-95-75-ac-02,31,00-12-f0-4b-ff-22,32,DI-524,12,1380,61,19,4108,192.168.16.177,4116,0,4155,1,4154,Use
Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,25,311 1 192.168.17.111 10/10/2006 15:16:36 312,4132,Secured password
(EAP-MSCHAP v2),4127,11,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4136,1,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:18:55,IAS,PIRANHA,4128,D-Link
DI-524,25,311 1 192.168.17.111 10/10/2006 15:16:36 312,4132,Secured password
(EAP-MSCHAP
v2),4127,11,8100,1,4108,192.168.16.177,4116,0,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4155,1,4154,Use Windows authentication for all
users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,6,2,4294967207,2,4294967206,4,4136,2,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:20:30,IAS,PIRANHA,4128,D-Link
DI-524,4,192.168.16.177,5,0,30,00-11-95-75-ac-02,31,00-12-f0-4b-ff-22,32,DI-524,12,1380,61,19,4108,192.168.16.177,4116,0,4155,1,4154,Use
Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,25,311 1 192.168.17.111 10/10/2006 15:16:36 316,4132,Secured password
(EAP-MSCHAP v2),4127,11,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4136,1,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:20:30,IAS,PIRANHA,4128,D-Link
DI-524,25,311 1 192.168.17.111 10/10/2006 15:16:36 316,4132,Secured password
(EAP-MSCHAP
v2),4127,11,8100,1,4108,192.168.16.177,4116,0,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4155,1,4154,Use Windows authentication for all
users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,6,2,4294967207,2,4294967206,4,4136,2,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:20:45,IAS,PIRANHA,4128,D-Link
DI-524,4,192.168.16.177,5,0,30,00-11-95-75-ac-02,31,00-12-f0-4b-ff-22,32,DI-524,12,1380,61,19,4108,192.168.16.177,4116,0,4155,1,4154,Use
Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,25,311 1 192.168.17.111 10/10/2006 15:16:36 327,4132,Secured password
(EAP-MSCHAP v2),4127,11,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4136,1,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:20:45,IAS,PIRANHA,4128,D-Link
DI-524,25,311 1 192.168.17.111 10/10/2006 15:16:36 327,4132,Secured password
(EAP-MSCHAP v2),4127,11,8100,0,4108,192.168.16.177,4116,0,4155,1,4154,Use
Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,6,2,4294967207,2,4294967206,4,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan Vaillancourt,4120,0x014C52,4136,2,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:21:50,IAS,PIRANHA,4128,D-Link
DI-524,4,192.168.16.177,5,0,30,00-11-95-75-ac-02,31,00-12-f0-4b-ff-22,32,DI-524,12,1380,61,19,4108,192.168.16.177,4116,0,4155,1,4154,Use
Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,25,311 1 192.168.17.111 10/10/2006 15:16:36 331,4132,Secured password
(EAP-MSCHAP v2),4127,11,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4136,1,4142,0
192.168.16.177,LRG\ryanv,10/10/2006,13:21:50,IAS,PIRANHA,4128,D-Link
DI-524,25,311 1 192.168.17.111 10/10/2006 15:16:36 331,4132,Secured password
(EAP-MSCHAP
v2),4127,11,8100,1,4108,192.168.16.177,4116,0,4130,LRG.local/MyBusiness/Users/SBSUsers/Ryan
Vaillancourt,4155,1,4154,Use Windows authentication for all
users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP
Policy,6,2,4294967207,2,4294967206,4,4136,2,4142,0

My setup is as follows:

SMALL BUSINESS SERVER:
STEP #1 Install Certificate Services
On the SBS server, use the Windows add/remove components tool to install
Certificate Services
On the CA Type page, select Enterprise Root CA and then click next
On the CA Indentifying Information page, type Lloyd Research Group
Enterprise Root CA
Accept the default storage location for the Root CA

STEP #2 Install Domain Controller Certificate
On the SBS server, go to Start > Run, then type mmc
In the management console, go to File > Add/Remove Snap-in
Add Certificates and select Computer Account
In the Certificates console, expand Local Computer, then right-click
Personal and select Request New Certificate
On the Certificate Types page, select Domain Controller and click next
On the Certificate Friendly Name and Description Page, type the name of the
server and finish installing the certificate

STEP #3 Create Temporary ISA Access Rule
In the ISA Management Console, right-click SBS Protected Networks Access
Rule and select Configure RPC Protocol
Uncheck Enforce strict RPC compliance and then click OK
Right-click Firewall Policy and select New Access Rule (ISA blocks
certificate requests to a temporary rule is needed to let the traffic through)
Configure a new rule as follows:
Name: Temporary Allow All Traffic Rule (for troubleshooting)
Action: Allow
Protocols: All Outbound Traffic
From: All Networks (and Local Host)
To: All Networks (and Local Host)
Users: All Users
Schedule: Always
Content Types: All Content Types
Now apply the changes so the rule is enabled

RADIUS SERVER
STEP #1 Install Certificates to the RADIUS Server
IAS must be installed on a separate server if VPN access is needed on the
SBS server. Otherwise, RADIUS requests will fail.
On the IAS/RADIUS server, go to Start > Run, then type mmc
In the management console, go to File > Add/Remove Snap-in
Add Certificates and select Computer Account.
Add the Certificates snap-in again but this time for My User Account
In the Certificates console, expand Local Computer, then right-click
Personal and select Request New Certificate
On the Certificate Friendly Name and Description Page, type the name of the
server and finish installing the certificate
Expand Current User, then right-click Personal and select Request New
Certificate
On the Certificate Friendly Name and Description Page, type the name of the
user and finish installing the certificate

STEP #2
Go back to the SBS server and disable the Allow all traffic rule in the ISA
Management Console

STEP #3 Install and configure IAS
On the RADIUS server, use the Windows add/remove components tool to install
IAS

STEP #4 Configure RADIUS Client
Once IAS is installed open the Internet Authentication Service console from
the Administrative Tools menu
Right-click the Internet Authentication Service and select Register Server
in Active Directory
Follow the steps to register the RADIUS server
Right-click RADIUS Clients and select New RADIUS Client
Configure the Client as follows:
Friendly Name: D-Link DI-524
Address: 192.168.16.177
Client-Vendor: RADIUS Standard
Check Request must contain the Message Authenticator attribute
Shared Secret: <Enter a complex password>

STEP #5 Configure Wireless Policy
In the Internet Authentication Service console, right-click Remote Access
Policies and select New Remote Access Policy
Name the policy Wireless WPA2 PEAP Policy
On the Access Method page, select Wireless
Add Domain Admin, Domain Users, and Mobile Users to the Policy
On the Authentication Methods page, select Protected EAP (PEAP) and click
configure
The certificate issues should be <servername>.LRG.local
Check off Enable Fast Reconnect and finish creating the policy
Double-Click on the new policy and click Edit Profile
On the Authentication tab, click EAP Methods
Click Add and select Smart Card or other certificate and move it to the top
of the EAP types list. Then click OK. (This is created in for use with
domain computers with both user and computer certificates)
On the Encryption Tab, Only leave Strongest Encryption (MPPE 128 bit) checked
Click OK twice to apply the policy


ACCESS POINT
Setup the D-Link router as follows:
SSID: Lloyd Research Group
Channel: Auto Select
Mode Setting: G Mode
SSID Broadcast: Enabled
Security: WPA2
PSK/EAP: EAP
RADIUS Server 1: <IP of IAS server>
Port: 1812
Shared Secret: <same secret as in IAS RADIUS Client configuration>


WIRELESS CLIENT
STEP #1 Install User Certificate
Request user cert by navigating to http://lrgi-marlin/certsrv in Internet
Explorer
Click Request a certificate
Click User Certificate
Click Submit and install the User Certificate to the client computer

STEP #2 Configure Wireless Connection Profile
Settings in Intel PROSet connection Profile:
Mode: Enterprise Security
Network Authentication: WPA2-Enterprise
Data Encryption: AES-COMP
Authentication Type: PEAP
Authentication Protocol: MS-CHAP-V2
Domain: lrg
Roaming Identity: LRG\username
Check Validate Server Credentials under PEAP Server section
Certificate Issuer: Lloyd Research Group Enterprise Root CA



The Windows Wireless Utility Profile I am testing is configured as follows:
Network Name: Lloyd Research Group
Network Authentication: WPA2
Data Encryption: AES
EAP Type: Protected EAP (PEAP)
Authenticate as computer when computer information is available is unchecked
Authenticate as guest when user or computer information is unavailable is
unchecked
Validate Server Certificate is unchecked
Authentication Method: Secured password (EAP-MSCHAP v2)
Enable Fast Reconnect is checked
Automatically use my Windows logon name and password is unchecked (Since my
laptop isn’t joined to the domain, I want to be prompted for a username and
password)


So... any ideas?

 

[Newtechie]

Well there is an update on the microsoft site for WPA2 encryption but I
can't remember if it also
covers SBS 2003. Just go there and do a search for 'WPA2'. I think by
default WinXP only uses
WEP and you have to download updates for WPA and WPA2.

 

[Guest]

Thanks for the response,

I probably should have made my configuration look a bit more obvious, but
yes, I know of the WPA2 patch for XP and it is already applied. My
configuration notes this.

Any other ideas?

 

[Newtechie]

Ok - let's see. I'm sure you know that you can't use both at the same time.
Have you tried disabling the Intel utility? then, right clicking on the
icon and select use Windows XP configuration. Also, the Wireless Zero
Configuration service has to be running. Check your services and if it's
not running, click on Start to enable it.

 

[Yves Leclerc]

You may need top check your wireless access point/router. This need to
"point" the info of the Radius authentication to your current Radius server.
I would also check to see if there is an firmware update to this wireless unit.

 

[Guest]

Thanks for the assistance

Here's a bit more clarification.... The wireless zero service is running,
and I can only use the intel OR windows utility, not both at the same time.
Anyway, I can connect to a another of our wireless networks using either
client so that confirms the Windows Utility still works - just not for the
WPA2 connection. The one it does work for is only using MAC filtering.

 

[Guest]

You may need top check your wireless access point/router. This need to
"point" the info of the Radius authentication to your current Radius server.

The Access point is set up fine. It works with the intel utility, just not
the built-in windows utility

I would also check to see if there is an firmware update to this wireless unit.

Both access points were updated with the latest firmware and my laptop is
using the latest intel software and drivers with all the latest windows
updates

 

[Newtechie]

Are you sure you're using the same PSK for the current network you're trying
to connect to?
I'm not trying to irritate further you by asking a lot of questions but just
trying to figure out what could be
the problem because I'm really baffled by this one.

 

[Guest]

I think I fixed it. I'll have to give it some time to verify but I am now
able to connect with the Windows Utility and I fixed the constant disconnects
with the intel software.

I dug into the intel software and found a wireless event viewer that kept
saying link down every so often. I sat and watched the connection for a bit
and saw that the signal kept fluctuating. It would go from excellent, to
poor, to out of reach in only a few seconds. Then it would disconnect. I
figured I'd try changing the Dlink Wireless Channel from Auto to channel 10.
Now life is good in the Windows wireless world. That was NOT as smooth as
the Administrator's companion led me to believe.

Thanks you everyone and especially Microsoft Product Support Services. I
now have a secure wireless setup within my small business server environment.