802.1x trouble: Can't get Nortel IP Phone to authenticate to NPS server through HP ProCurve switch

I've been working on getting 802.1x set up.  I've so far gotten WinXP clients to authenticate through our HP ProCurve switch to the NPS server using PEAP/EAP-MSCHAPv2, and to put different authorized users on different VLANs based on AD Groups, as well
as unauthorized users onto a separate VLAN.  Also, the switch is using the NPS server for securing management logons.
However, when I configure and plug in a Nortel phone, I can see the EAP packets going to the switch, which then send the Access-Request message to the NPS server.  On the NPS server, I can see that the NIC receives the Access-Request packet, but it
never responds to it.  When I compare the packet to an Access-Request packet from a WinXP client, the only differences I can see are User-Name (1), Port (5), Port-ID (87), Calling-Station-ID (31) and the EAP-Message (79), which to me are the fields that
*should* be different.  I can also see that the packet is coming in on the correct port (1812).  Nothing gets logged in Event Viewer, nor in the NPS log (c:\windows\system32\logfiles\inDDMMYY.log).
It's my understanding that at least, I should be getting an IAS_NO_POLICY_MATCH in the log, as I haven't set up a policy for it yet.  Also, if I set up a dummy policy to accept all requests on all days and times, using any authentication method, I still
get nothing.
The phone is set to use PEAP, but if I understand correctly, even if that was set wrong, I should at least see an Access-Challenge response packet from the server; PEAP doesn't factor in quite that early.  Or do I misunderstand?
Any help would be appreciated.

Thanks for the reply.
> At the command prompt, type the following command, and then press ENTER:
> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
I had read about that previously.  I had checked whether it was enabled or not, and it only had failure enabled.  So following the recomendation on that
page, I disabled both, then enabled both.  So yes, it's currently enabled.  And after this, I tried both the PC and phone again, and while I saw the PC's authentication succeed in the Event Log, I still see nothing for the phone.
> PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as Extensible
Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), that can operate through the TLS encrypted channel provided by PEAP.
Yeah, but
if I understand correctly (and I'm going to read your link right after I post this), after the switch sends the initial Access-Request message in the clear, the RADIUS server should then respond with an Access-Challenge to begin securing the connection beween
itself and the phone, regardless of what the phone has set for it's security type.  If the phone can't talk in a way that the server is set to accept, then it won't respond to the Access-Challenge packet, but the server should be sending that Access-Challenge
in the first place.  Or is there something I've missed in the Access-Request packet that specifies what security type(s) it can handle?  I thought that happened after the Access-Challenge?
> Please also provide us the type of your Nortel IP Phone, because some types of Nortel IP Phone may only support EAP-MS-CHAP v1 which is not supported by Windows
2008. We also suggest that you might post your issue on Nortel forums to ask for some more help.
I'm
using a Nortel 1120e phone for testing; we also have 1140e phones that will be used with this when it's working, but they should be the same as far as this setup is concerned.  I read somewhere that perhaps the Nortel phones only support PEAP-MD5, which
doesn't seem to be an option in NPS without a reghack.  I'm also following up with our Nortel support locally, as the phone itself and the manual for the phone only says "PEAP" without specifying what it's using inside, but right now I'm trying to determine
whether the problem lies with the phone or the server or both.  So I thought I'd ask the experts here.
FWIW,
I've been testing using a HP ProCurve 3400cl with the lastest firmware.  I've managed to get the same setup on a Cisco Catalyst 3550 switch, also on it's latest firmware, and I get the same results.  The PCs can authenticate, the phone can't; NPS
still isn't responding.

Similar Messages

Maybe you are looking for

  • IPhone 4 will not activate with Apple for update

    No matter how hard I try, or how many times I try I cannot get my sister in law's iPhone 4s to update it's software to 5.1  Despite it being connected to a strong wireless signal that I managed to update mine from on my laptop, it downloads the updat

  • ARQ: "No Provisioning log available" message in Access Request

    Hi, I am facing a problem wherein, a request is duly provisioned and closed. However, in email notification, I get below message: Hi XXX, The Request number : 123 , has been processed by XYZ and the Request is Closed. The details are as follows: No P

  • Detach BT Keyboard/Mouse, attaching to another...t

    I have my Bluetooth keyboard and mouse attached to my PowerBook. But now I have a new Mac Pro, I want to connect them to the new system. Any idea how do I detach it? Without disabling the bluetooth, just in case if I need to use some other device wit

  • Snow Leopard CS4 crash

    Here is the crash report: Process:         Adobe Photoshop CS4 [1176] Path:            /Applications/Adobe Photoshop CS4/Adobe Photoshop CS4.app/Contents/MacOS/Adobe Photoshop CS4 Identifier:      com.adobe.Photoshop Version:         11.0.1 (11.0.1x2

  • My hot corners suddenly stopped working. settings are correct. os 10.6.8

    my hot corners suddenly stopped working. settings are correct. os 10.6.8