AD 2008 NPS Radius WLC

Similar Messages

• Microsoft 2008 NPS Radius + WLC

  Anyone have any luck getting this to work? I am at this point just trying to get the radius set up and get the certificate pulled into the EAP section of NPS. Or know if Cisco supports this type of setup. My 2003 IAS box was a snap but now have the Windows Team forcing this god-awful OS onto me to use. Any help docs links appreciated.

  Wow, this thread is still going?
  I found a solution to the issue:
  1. Install NPS
  Start - Control Panel - Programs and Features - Turn Windows Features on or off
  Rt-click Roles - Add Roles - Next - Network Policy and Access Services - Next - Next
  Network Policy Server (tick) - Next - Install - Close
  2. Start NPS and Register in AD
  Start - Administrative Tools - Network Policy Server
  Rt-click NPS (local) - Register Server in Active Directory - OK - OK
  3. Configure Network Policy for Computers
  Expand Policies
  Rt-click Network Policies - New
  Policy Name Computer Policy (or whatever you want to call it) - Next - Add
  Select Windows Groups - Add - Add Groups
  Enter Domain Computers - OK - OK
  Select NAS Port type - Wireless - IEEE 802.11 (tick) - OK - Next - Access Granted - Next
  Microsoft Encrypted Authentication MS CHAP (untick) - Add
  Select Microsoft: Protected EAP (PEAP) - OK - Next - Next
  Select Framed-Protocol | PPP - Remove
  Select Service Type | Framed - Remove
  Select Encryption - No encryption (untick) - Next - Finish
  4. Configure Network Policy for Users
  Repeat steps in 3 above substituting User Policy as name and Domain Users as Group
  5. Setup RADIUS client
  Expand RADIUS Clients and Servers
  Rt-click RADIUS Clients - New RADIUS client
  Friendly Name: WLAN Controller Name of your choice
  Address (IP or DNS): IP address of Controller
  Vendor Name: Cisco
  Shared Secret: The Access Key you set on the Controller - Confirm Shared Secret - OK
  6. Set up Wireless GPO (if you want to automate client distribution)
  Start - Administrative Tools - Group Policy Management
  Rt-click your domain object and Create a GPO in this Domain and Link it Here
  Call it WirelessClient or whatever floats your boat
  Rt-Click the GPO - Edit
  Computer Configuration - Policies - Windows Settings - Security Settings - Wireless Network (IEEE 802.11) Policies
  Rt-click Wireless Network (IEEE 802.11) Policies - Create a new Wireless Policy
  Policy Name WIRELESS (or whatever)
  The rest of the settings need to be as per your controller setup, below are settings for WPA2 enterprise
  Description: Wireless network - yadayada
  Authentication: WPA2
  Encryption: AES
  IEEE 802.1X tab - Settings
  Trusted Roor Certificate Authorities - find your server's root certificate in the list and tick - OK - OK
  Repeat for additional SSIDs if necessary
  That should do it - it worked for me!

• Microsoft 2008 NPS Radius + wireless controller.

  Hi,
  We have implemented new Microsoft 2008 NPS Radius for authentification wireless controller.
  i am seeing RADIUS server x.x.x.x:1812 failed to respond to request (ID 119) for client ............. in controller. But there no logs hitting to the NPS server either failed or success or other related.
  Layer 3 comminucation is fine between controller & server.
  As per the debug logs,controller forwarding request NPS server "Successful transmission of Authentication Packet tp ......NPS proxy ".
  But there is no further key exchange or successful authentication logs, any idea on this?
  Thanks
  Shrinivas.K

  Download NTRadPing and test to see if your radius is working. You can put a sniffer on and see if you see packets coming out of the wlc and radius. You can always remove the aaa from the wlc and add it back on and also remove and add back on the wlc as a aaa client on the radius server.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Authentication Failed to 2008 NPS from Cisco IOS VPN

  I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
  Local authentication works fine.
  Here are cisco configs:
  aaa new-model
  aaa authentication login default local
  aaa authentication login VPNauth group radius local
  aaa authorization network VPNgroup local
  aaa session-id common
  ip radius source-interface Loopback0
  radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
  crypto map VPNMAP client authentication list VPNauth
  crypto map VPNMAP isakmp authorization list VPNgroup
  crypto map VPNMAP client configuration address respond
  crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
  ... other crypto commands
  This is the section of the log from NPS:
  Authentication Details:
      Connection Request Policy Name:    VPN
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        x.x.x.x
      Authentication Type:        PAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            16
      Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  I do have PAP enabled on the Network/Connection Request Policies...
  I'm stuck
  Please help

  Can you run a "teat aaa " command to see if the user can be authenticated successfully?
  I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

• Two WLC to the same NPS Radius (win 2008)

  Hi everyone :
  I have a WLC 2504 running with one SSID (authentication 802.1X to NPS radius win 2008 Server) , I have another branch with another WLC 2504.
  Can I have configure the same SSID with the same NPS radiud win 2008 server in this another WLC 2504?? and How could I do it?
  Regards,
  Claudio L.

  Hi Scoott,
  Thank you so much for your response.
  I have used this guide to configure this deployment :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
  In win 2008 server , I just only add the WLC like a new Radius Client ?
  I mean ,
  Frienly Name : WLC2
  Address IP : 192.168.1.X
  Vendor : Radius Standard
  Share secret : xxxx
  And That´s all, right ?

• Cisco WLC 5508 - NPS Radius

  Cisco WLC 5508
  Software Version: 7.4.100.0
  Windows Server 2008R2
  I've got everything setup on the Windows Server 2008 side of things (certificates, radius clients, etc)
  I added the radius server on the WLC, and configured a new WLAN to use it.
  Both are on the same subnet.
  When trying to conect to the WLAN it kept failing.  I installed wireshark on the server to monitor the radius traffic, and to my surprise there was no radius traffic showing up on the server.  The radius statistics on the WLC are at 0 as well, so it's like the WLC isn't even attempting Radius.
  I reverified that the server was enabled on both the security tab and the WLAN itself on the WLC.  Rebooted the controller and the server, all to no avail.  I used a radius test client, and can successfully send radius commands to the server using that utility.
  Frustrated, I just kept trying to reconnect on my wireless device, and after about the 15th try, finally I saw radius activity on wireshark.  It rejected my access, but at least I saw activity.  It also registerd radius statistcs on the WLC as well.
  So now if I keep trying to connect repeatedly, about every dozen or so times the WLC actually will send a radius request to the server.
  What in the world is going on here?

  I do have local management users on the controller.
  Some hours later I added the option of authenticating management users, for the NPS server. Then logged inn to the management GUI using NPS radius, worked just fine.
  However, these commands have been useful to me several times, to make sure unsuccessful requests appear in the Windows Event log:
  auditpol /get /subcategory:"Network Policy Server"
  If it shows ‘No auditing’ or just "Success", you can run this command to enable it:
  auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
  So now I know that the NPS radius server works, for management access. I will go to the customer's site some other day to test it for 802.1x authentication. If not, I'll do some debugging to decide wihich to blame - the WLC or NPS.

• Win 2008 R2 radius integration with WLC 5508

  Requires help in integrating Win 2008 R2 Radius server with WLC 5508

  Step by Step instructions - NPS & Wireless LAN Controller
  PEAP Authentication - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
  EAP-TLS
  https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-eap-tls-authentication
  hope that helps, Please let me know if you have any other questions in regards to setting up your NPS server
  Please rate that post if it answers your question or helps you  to resolve the problem.

• Cisco Nexus to use Radius AAA authentication using Microsoft 2008 NPS

  I have a Nexus 7010 running
  Just wondering if you can help me with something. I'm having an issue with command authorization thru our aaa config. We don't have a problem authenticating its command authorization that is not working. From what I have seen and read Nexus NX-OS 6.x does not have any commands for aaa authorization unless you are configuring TACACS+. My basic config is below if you can help it would be much appreciated.
  >>ip radius source-interface mgmt 0
  >>radius-server key XXXXX
  >>radius-server host X.X.X.X key XXXXX authentication accounting
  >>radius-server host X.X.X.X key XXXXX authentication accounting aaa
  >>authentication login default group Radius_Group aaa authentication
  >>login console local aaa group server radius Radius_Group
  >>    server X.X.X.X
  >>    server X.X.X.X
  >>    source-interface mgmt0
  Also does anyone know how to configure Microsoft 2008 NPS as a Raduis server to work with Nexus? I have read a few post that suggest changing the
  shell:roles="vdc-admin" in the  Attribute Value field in the RADIUS server
  Does anyone know if this works????
  Thanks

  I have never done this before with ACS but not with NPS. However, you are in the right path. Nexus uses NX-OS which is different in some regards to regular IOS. One of those differences is the AAA setup. In NX-OS you assign users to roles. So for full access you will need to return the following attributes from your Radius server:
  Attribute: cisco-av-pair
  Requirement: Mandatory
  Value: shell:roles*"network-admin vdc-admin"
  For more information take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115925-nexus-integration-acs-00.html
  Hope this helps
  Thank you for rating helpful posts!

• Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

  I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
  https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
  But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

  I did configure the Server 2008 R2 RADIUS Server using this video below: 
  https://www.youtube.com/watch?v=g-0MM_tK-Tk
  I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
  I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

• 802.1x PEAP Windows 2008 NPS Certificate

  I've setup a centrally switched SSID on a 5508 WLC utilising 802.1x PEAP authentication to a pair of Windows 2008 NPS which authenticate the PEAP username and password to our Active Directory domain.
  Currently the Windows 2008 NPS servers are utilsing a server certificate issued from our internal Certificate Authority with the certificate being presented to the device upon connection depending upon which server the WLC sends the authentication too. The servers names on the internally issued certificate are in the form of:
  Server01.domain.local
  Server02.domain.local
  Due to these certificates being internally issued certificates when some devices specifically Apple iPad and iPhones connect to the SSID initally they are prompted to accept the certificate but it is listed as not verified as its issued by an internal domain CA and not an external root certificate authority.
  I am going to be obtaining an external root CA issued certificate for both servers to replace the internally issued certifcates however I notice using the internal certificate if I connect a device to the SSID and accept the certificate of server with certificate name server01.domain.local and then if disable the ability for clients to connect to server01 the WLC will automatically forward the authentication connection to the next server on the list however as this server is presenting a different certificate "server02.domain.local" devices which are conducting certificate validation will fail to connect as the certificate does not match the previously accept certificate.
  Does anyone know a way around this?
  Will adding say server02.domain.local as an additional name to the certificate for server01.domain.local resolve this issue?

  Hi,
  Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
  More information:
  Renew a Certificate
  http://technet.microsoft.com/en-us/library/cc730605.aspx
  NPS Server Certificate: Configure the Template and Autoenrollment
  http://msdn.microsoft.com/en-us/library/cc754198.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Wireless Controller and Microsoft Windows 2008 NPS

  Hello Community,
  Got a Nightmare project to convert our Wireless over to Windows 2008 NPS for AP, Controller and User Athenication.  Anyone have a link to a good Deployment Guide/How To on what is needed for the NPS Server (esp the attributes for AP, Contoller and Users)?
  Thank You
  Michael

  So you are looking to use RADIUS to authenticat the managment users and the actual wireless clients?
  RADIUS Managment
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
  This goes over what attribute you need to return from the RADIUS server.
  For the users:
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• AiroNet 1140 Authentication Issues Windows Server 2008 NPS

  Hello,
  We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug
  *Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
  FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  *Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
  FAIL

  Hi Steve, Here is the config for the AP.  Some screenshots of the NPS config are below, too.  Please let me know if you need more information from our NPS server.  Thanks, Doug
  ap#sh run
  Building configuration...
  Current configuration : 2971 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
  aaa new-model
  aaa group server radius rad_eap
  server 10.20.2.96 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  server 10.20.2.96 auth-port 1645 acct-port 1646
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid wifi
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
  username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid wifi
  antenna gain 0
  speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
  m8. m9. m10. m11. m12. m13. m14. m15.
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid wifi
  antenna gain 0
  dfs band 3 block
  speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
  . m12. m13. m14. m15.
  channel dfs
  station-role root access-point
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.40.0.200 255.255.0.0
  no ip route-cache
  ip default-gateway 10.40.0.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server local
    no authentication mac
    nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
  677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  ap#

• 2504 Wireless Controller and Server 2008 NPS

  I want to configure a simple NPS/RADIUS server for wireless authentication. I've read well over the EAP setup, and becaues it makes use of certificates it isn't going to work for non-domain computers. I'm looking for a way to copy what I have to VPNs, where when a user tries to login it ask for their username and password.
  Ergo, when a computer, ipad, iphone, android, or mac connects to the wireless I want them to be asked for their domain username and password. If possible I'd like to keep it so they do not need to specify domain\username but rather just their username.
  Is what I'm looking to do possible? I've configured it with EAP but again in this deployment I cannot make use of certificates or a domain CA. I am also not able to touch every machine that comes in to connect to the wireless. I am also looking to use LDAP/RADIUS in place of a PSK or WEP key so that user passwords can be changed per the domain policy every so often. We also have a wireless users group so not just anyone can connect. For every other non-company employee we already have a restricted SSID for guest with a PSK.
  Thanks in advance for any and all suggestions!

  Joe:
  Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
  EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
  PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
  for PEAP-MSCHAPv2, Your options are:
  - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
  - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
  - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
  You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco aironet 2600 series AP configuration with windows 2008 R2 Radius server.

  I want to know the configuration of Cisco aironet 2600 series AP with windows 2008 R2 Radius server.  
  I have
  1. AD & DHCP Server
  2. Cisco Aironet 2600 Access Point.
  I want to connect wifi devices through this AP. Authentication should be through Radius server and AD.

  Hi , 
  Below link should support your requirement 
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116584-configure-wirelesslan-00.html
  Minimal command : -
  AP(config)# aaa new-model
   AP(config)# radius-server host 172.20.0.1 auth-port 1645 acct-port 1645 key XXXXXX
   AP(config)# radius-server deadtime 10
  HTH
  Sandy

• 5508 WLC to Server2008 NPS Radius

  I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. Can anyone tell me the required client setup to satisfy the MS NPS?

  NPS properties attached