Hello,
In our environment, I am testing the MS IAS as a radius to authenticate the wireless clients. The laptops have IntelProset utilitiy to configure for wireless.The profile is configured with WPA2/AES and PEAP/MS-CHAP-V2.

The issue I have is MS IAS requires the client username in the "Roaming Identity" filed. It does not like it when there is any other name is used instead of username. This is needed for the first handshake before the TLS is established. Sending a username in clear text is an issue, and I am trying for a work around.

I know for sure that IAS can be configured with proper Connection Request Processing to allow for the roaming identity to have any name other then username. But unable to find out exactly what that attribute is and how to configure CRP in IAS properly.

Any help in this is very much appreciated...

Why do you feel that the username is sent in the clear?

when you do a packet capture it shows the username.

Over the wireless link or wired link?

Also if it is over the wireless link you either are not using encryption or when you are sniffing the link you are using a known password to decrypt the WPA2 traffic. That is not really a fair assessment of the situation.

Please take a look at this link as this will help answer some of your questions.

"2. Roaming Identity: If the Roaming Identity is cleared, %domain%\%username% is the default.
When 802.1x MS RADIUS is used as an authentication server, the server authenticates the device
that uses the Roaming Identity user name from Intel PROSet/Wireless software, and ignores the
Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1x identity supplied to
the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP
clients. When 802.1x MS RADIUS is used, enter a valid user name. For all other servers, this is
optional. Therefore, it is recommended to use the desired realm (for example,
anonymous@myrealm) instead of a true identity."

The link is "ftp://download.intel.com/support/wireless/wlan/sb/3945abgug.pdf"

This is something even confirmed by MS IAS team as well as Intel and they all know this issue or roaming idenitity. What I am trying to do is support this on the IAS using proper policy configuration and that is where I need help...

Thanks

OK, I understand, but why are you using the Intel client application? With IAS and any kind of MS AD network it is almost imperative to use WZC.

Try setting that username field that is sent in the clear to anonymous and that should at least kick start IAS to get the TLS tunnel started.

It might also be a problem with the ProSet tool..try different client like the Odyssey Access Client, they have a free Trial.

I have NEVER been a fan of the ProSet wireless tool.

~K