RADIUS with IAS and Netgear WG302

Here is the full documentation for our successful integration of Netgear WG302 wireless access points with Windows 2000 IAS server. Thank you to Richard Bender for writing this up and those who sent me requests for these notes.

Notes on Setting up RADIUS on IAS to use MAC addresses as User IP’s

Equipment:
Netgear WG302 ProSafe 802.11g Wireless Access Point
Windows 2000 Server running IAS (Internet Authentication Service)

Situation:
The Netgear ProSafe WG302 provides MAC address filtering for up to 256 MAC addresses. However, if you use multiple WAP’s updating them and managing the address list becomes very time consuming. Having a central management point (ie a RADIUS server) would be a perfect solution to this problem.

Why lAS?
If you are running a Win2K server based network it’s free and it ties into AD.

The Problem:
Make the WG302 interface with the IAS server so that you can control wireless network access via MAC address filtering.

How to set this up:
Install IAS
On the Win2K server that you intend to use for this add the LAS service
Add/Remove Programs/Windows Components/Networking Services
The IAS MCC will then show up in the Administrative Tools Window

Configure IAS
Register Service in AD so that it can authenticate users and computers
Right-click the root of the tree pane, Internet Authentication Service (Local), and select Register server in Active Directory
Add Clients
Open the IAS MCC\Clients folder
Add your WAP’s as clients
Need IP address of each WAP and “shared secret” authentication key
Set up Log File
Don’t neglect this, these files can get huge quickly.
Set up Remote Access Policies
At least look at the default policy
(our policy is to grant anyone in the Wireless Access security group remote access)

Configure AD (the tricky part)
Create an OU for MAC Addresses (recommended)
Create a new User in that OU
The user name is the MAC address you wish to add without spaces, hyphens, or periods
Advice: put the MAC address in using lower case letters, then copy it to the clipboard

****CRITICAL STEP****
The user password is the MAC address and you must use lower case letters.
The WG302 sends the MAC address to the IAS server in lower case. If you use upper case letters in the password authentication will fail. Finish tocreate the new account.
Tweak the New Account
Important:
Set membership into a security group that will have remote access (we put all these accounts into a Wireless Access group) or grant user Dial Up access
Optional:
Add the users name in the Description field on the General tab. Add some sort of sorting info into the Office field on the General tab.

Configure the WG302 WAP units Browse to each unit and: Go to the RADIUS Server Settings screen
Set the IP address of the RADIUS server
The port should be 1812 unless you are doing something custom
The “shared secret” authentication phrase is the one you put in earlier on the
IAS server. Go to the Access Control screen
Turn Access Control on
Select Access Control Database: RADIUS MAC Address Database
Reboot the unit

Now when you bring a wireless system, that has an address you have put into the Win2K AD, into range of the WAP it should transparently authenticate against the LAS RADIUS server and get an IP address from your DHCP server. You should see entries like this in your event log:
User 009099blf732 was granted access.
Fully Qualified User Name = domain name/OU/009099blf732
NAS-IP-Address = WAP IP Address
NAS Identifier = WAP MAC Address (don’t use this as a template, it is lower case but it uses hyphens)
Client-Friendly Name = WAP name
Client-IP-Address = WAP IP Address
NAS-Port-Type = 19
NAS-Port = 47
Policy-Name = This is the name of the policy set in LAS for remote access users
Authentication-Type = PAP (in our case)

This is useful because it allows you to scan the log and see if each WAP is working. We have found that the new firmware for the WG302 is not perfect (but hey, the first round wouldn’t even talk to a RADIUS server) and that occasionally a WAP will “hang” and not communicate with the RADIUS server. Rebooting the unit fixes the problem. For extra style points you could probably write a script that would reboot the units every night to be proactive.

24 comments

  1. John says:

    After three days of work this turned out to be just another failure in my search to find any MAC address authenticating service that works.

  2. rkassissieh says:

    I’m sorry to hear that, John. IAS does seem to be sensitive and largely undocumented. I hope our documentation at least allowed you to make progress.

  3. Mark says:

    Thank you. This was the solution we were looking for to provide guest wireless access at our school. It is the only solution I have found for MAC address authentication with IAS and Cisco access points. Missed the PAP authentication setting first time through. That is required.

  4. Asad says:

    thankyou.i had found your solution.it is found much better but the problem is i wanna use it on switch based set not on wireless access point.although i am using radius what will be the appropiate solution for that

  5. Pat says:

    Thanks. This solution worked for me too once I got the PAP enabled on IAS…you find it on the Connections to Other acces servers Object properties. I am using Cisco AP1100’s and some older Orinoco AP / RORs. Need to see if our low-end Linksys AP’s can have a Firmware Upgrade to enable them to utilize Radius as Well

  6. Ben says:

    Richard,

    Thanks for the step by step. We are not yet on Active Directory. Is there a way to setup IAS without having AD?

    Ben

  7. KaHo says:

    Thank you so much. That solution was suitable with my seeking. But i have problem with this time.The user can’t authenticate alway. Can i have your mail/MSN to contact you?

  8. Matthew says:

    Has anyone actually worte a script to reboot the WG302 access points. I have tried to use putty it connect logs and logs in but when i call the file to run the reboot command nothing happens. Please HELP

    MD@NELC.net

  9. rkassissieh says:

    I have not, but this would be useful.

  10. Martin says:

    Didnt work for users cant authenticate im using wg102. connect but get incorrect username or password. all lower case no spaces dots etc still no.

  11. Martin says:

    Followed the instructions to letter would not work on a 2k box tried on my 2k3 box at home and it went straight. I was using the same AP as i took one home to try. must be an IAS problem

  12. Kevin Lawry says:

    I have this working, thank you for your help. However we now have some WG302v2 access points and Netgear have changed things. The Username presented is now in the form 00-90-99-Bl-F7-32 that is upper case and with dashes. The password presented is now NOPASSWORD again upper case (that took some finding) oh, and it no longer works – it authenticates against our RADIUS server, I can sniff the RADIUS success reply, but it still denys access. I am working on that…

  13. Very annoyed says:

    This is a pointless solution and should only be undertaken if you have a lot of time on your hands (and I mean a lot of time, like you have no job or life!!). I have spent hours on this trying to get this system to work with netgear WG302 V2 product and I was unable to. Errors and problems varied from IAS problems and compatability issues between the AP and the IAS server. If you require a MAC address solution to your network, then I suggest going with a Wireless Cisco Management product that actually works!!

    I hope you are not as pi@sed off as I am at the total waste of time this has been for me.!!!!

    Oh and it works fine for WG302 V1 products!!

  14. rkassissieh says:

    Very true. No, it’s not easy, and it doesn’t work all the time. However, it does work for some people, as it worked for us. Good luck.

  15. Shawn says:

    I am using a Nortel BAP120 WAP and nothing is showing up in the Event Viewer. I have checked the IP address of the WAP and IAS server and all are correct.

    My Remote Acces Policy (which is first in the list) contains 2 conditions:
    1. Windows-Group matches "Domain\Wireless Access" and
    2. Authentication-Type matches "PAP"

    Grant remote access permission is selected below.

    When I initially set it up, the Event Viewer was getting popultaed with some info, but still I could not get a successful wireless connection. After making many changes and deleteing and recreating the default Policies, nothing is working.

    Any idea what I could be missing?
    Thanks

  16. rkassissieh says:

    Sorry, no. My sysadmin wrote these instructions, and I am not in a position to troubleshoot them! Best of luck with your issues.

  17. Zack DeMoss says:

    This worked great. THANKS

    One tip for everyone. Becareful about the PAP. It held me up for like 30 min. Also make sure all the Allow Remote Access prompts are filled on the server in AD.

    Check the event viewer to see if something has messed up it might even tell you what it is.

  18. Alex says:

    Worked perfectly with Netgear WG102 (Firmware 4.08). Thanks alot!

  19. Ben says:

    Hi,

    I tried to use this instruction for the authentification on a Windows Server 2003. But it doesn’t work.

    I have this message in my event ID:
    (Translated from german)
    User "00-15-DE-3E-34-BD" access denied
    Fully Qualified User Name = DOMAIN\00-15-DE-3E-34-BD
    NAS-IP-Address = 192.168.1.3
    NAS Identifier = 00-14-6C-CD-35-D8:Net2
    Client-Friendly Name = WAP1
    Client-IP-Address = 192.168.1.3
    NAS-Port-Type = Wireless – IEEE 802.11
    NAS-Port = <not existing>
    Policy-Name = Windows-Athentification used for all users
    Authentication-Type = PAP
    .
    .
    .
    Code = 16
    Reason: The Authentification was not sucessfull, because an unknow Username or a invalid password was used.

    Do you know where the problem is? The MAC-Adress and the dashes?

    Thanks a lot

    Greets from Germany, Bavaria

    Ben

  20. Justin Kelly says:

    Hi,

    With IAS and netgear WAPs can you do authenticate against AD using the users normal username/password AND control client access via MAC address all via IAS?

    We want to make sure that the user is valid and the client machine is on our ‘OK’ list

    Cheers

    Justin

  21. rkassissieh says:

    Sorry, I have no idea. We only attempted to filter MAC addresses. At the time, I don’t believe we thought it was possible.

  22. Sam Lindsay says:

    After much gnashing and bashing, I finally got my radius server to work on my W2K server. I have a stack of white pages and web page printouts which portray many different implementations of MS Radius. I was beginning to question my reasonably intelligent outlook of myself during this project, as I was finding it all but impossible to get the blasted thing to work at all. However, I now know what each paper is missing when it describes how people got their radius to work.

    I have a handful of NETGEAR WAG102 wap’s, similar to the article above, and which in essence work exactly the same. Once I had the Netgear working, I decided to try to get my Linksys SRX waps working as well. I set them up exactly the same as the Netgear and used the same laptops for testing. DIDN’t WORK. Humph.

    Looking at the log file (a must have for troubleshooting) I found the major difference in each implementation. The MAC address which is passed from the Netgear is just as stated – all lower case, no dashes or other punctuation, just letters and numbers. However, the Linksys has a different format when sending the MAC address. It uses dashes, i.e. 00-13-10-E7-DA-01. And when setting the password on the Active Directory, you must use these dashes, or it will not work with the Linksys.

    So, if I want to use both types of wap’s, I will have to make double entries in my Active Directory. Not impossible, just a pain the neck… or buy more Netgear wap’s… they’re better than the Linksys anyway.

    Another note about authentication. The user can login as any user name they want. It is their password that must match the MAC address in order for AD to authenticate them. There must be a user name that matches the MAC address of the wireless computer, the password for that computer must be the MAC address, but the user can logs into their computer as anything they want, as long as their password matches the MAC. Yes, I tried to change the password – NO it didn’t work with any password other than the MAC.

    Your mileage may vary!

    Moral: For you folks who can’t seem to get your radius to work, you must go to the Event Viewer / SYSTEM log and see the message that is generated to see the EXACT format which your wap is sending.

    Best of luck in your implementation. It does work, and work well. It IS being successfully used, even though you think all the others are crazy and just imagining that it works. You CAN make this work, and the benefits far outweigh the hassle!

    Sam Lindsay
    MSIS

  23. seaellem says:

    thanks! your guide helped us out today.

  24. Phillip says:

    Hi
    I can authenticate to the radius server, but I keep getting a "windows was unable to find a certificate to log you on to the network" error.
    Any ideas.