LobbyAmbassador / WCS -- 4xWLC's / NPS server

Hi,
Quick run down:
* v7.0.240
* WCS managing 4x WLC's
* Lobby Ambassador account created on WCS to manage users connecting to the WCS via RADIUS and have permissions to create guest accounts
* profile for guest access is created fine
   - when logging in with the LOCAL lobby account created initially (not RADIUS) the default settings remain fine
   - when logging in with RADIUS the default settings created in the profile do not remain the same, they can change
RADIUS ATTRIBUTES configured on the LobbyAmbassador group and the NPS server:
Wireless-WCS:role0=LobbyAmbassador
Wireless-WCS:task0=Configure Guest Users
Wireless-WCS:task1=Lobby Ambassador User Preferences
Am i missing something? What do I need to configure (attribute wise) to prevent the RADIUS users being able to modify the WCS lobbyambassador profile configured?

please check the link :
https://supportforums.cisco.com/discussion/11137666/wcs-lobby-ambassador-aaa-authentication

Similar Messages

  • Need for NPS server certificate with PEAP-MS-CHAPv2

    Hi,
    I have a question about a small setup I'm currently testing. In a Wireless access with 802.1X authentication based on PEAP/MS-CHAPv2, and a NPS server (MS server 2012R2), I've noted reading technet documentation that the NPS server or other RADIUS server
    do have a certificate (issued by a 3rd party CA or by an AD CS environment).
    However, it remains for me a point I would like to clarify (sorry I surely have a bad understanding of documentation). If my client is configured for not "validate server certificate", do I still need to have a certificate on the NPS server ?
    Well, I know it is not secured, but this will permit me to test without configuring an AD CS, and without buying a certificate.
    Many thanks in advance for your answer.
    Regards,
    Fabrice

    You also need a server certificate in this case as the protection in Protected EAP is due to the encryption of the TLS session.
    Not validating the server certificate just means that no additional check of the name is done, so the client would be able to connect to any RADIUS server - given that its certificate chain is valid. But the certificate chain as such is checked as in every
    SSL handshake.
    You don't need a certificate issued by a commercial CA though - you could use an inhouse PKI. For tests you could use a self-signed certificate as well.
    Edit: If you want to test self-signed certificates the easiest way is probably to install the web server role and use its built-in option to create a self-signed certificate.
    Elke

  • RADIUS Authentication Problems with NPS Server Eventid 6274

    Hi,
    We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
    Network Policy Server discarded the request for a user
    Contact the Network Policy Server administrator for more information.
    User:
        Security ID:            NULL SID
        Account Name:            host/hostname.domainname.com
        Account Domain:            -
        Fully Qualified Account Name:    -
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        40-20-B1-F4-BB-15:Wireless-SSID
        Calling Station Identifier:        C1-18-85-08-10-E1
    NAS:
        NAS IPv4 Address:        192.168.10.10
        NAS IPv6 Address:        -
        NAS Identifier:            AP name
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            0
    RADIUS Client:
        Client Friendly Name:        name
        Client IP Address:            192.168.10.10
    Authentication Details:
        Connection Request Policy Name:    Secure Wireless Connections
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        NPS servername
        Authentication Type:        -
        EAP Type:            -
        Account Session Identifier:        -
        Reason Code:            3
        Reason:                The RADIUS Request message that Network Policy Server received from the network access server was malformed.
    Network Policy Server discarded the request for a user.
    Contact the Network Policy Server administrator for more information.
    User:
        Security ID:            NULL SID
        Account Name:            domainname\username
        Account Domain:            -
        Fully Qualified Account Name:    -
    Client Machine:
        Security ID:            NULL SID
        Account Name:            -
        Fully Qualified Account Name:    -
        OS-Version:            -
        Called Station Identifier:        20-18-B1-F4-BB-15:Wireless-SSID
        Calling Station Identifier:        09-3E-8E-3E-5A-C9
    NAS:
        NAS IPv4 Address:        192.168.10.10
        NAS IPv6 Address:        -
        NAS Identifier:            AP name
        NAS Port-Type:            Wireless - IEEE 802.11
        NAS Port:            0
    RADIUS Client:
        Client Friendly Name:        name
        Client IP Address:            192.168.10.10
    Authentication Details:
        Connection Request Policy Name:    Secure Wireless Connections
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        NPS server name
        Authentication Type:        -
        EAP Type:            -
        Account Session Identifier:        -
        Reason Code:            3
        Reason:                The RADIUS Request message that Network Policy Server received from the network access server was malformed.
    Message seen from the AP's logs:
    (317)IEEE802.1X auth is starting (at if=wifi0.2)
    (318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
    (319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
     (320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
     (321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162,  User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
     (322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC  
    Output omitted
    (330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
    We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
    Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
    this matters?)
    Please guide me on how to take this further
    Thank you :)
    //Cris

    Hi,
    NPS Event ID: 6274.
    This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
    Detailed information reference:
    Event ID 6274 — NPS Accounting Request Message Processing
    https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
    Best Regards,
    Eve Wang
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Config RADIUS on WLC 5508 - Problems comunication with NPS Server

    Hi,
    I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
    My WLAN interface is in a different vlan than the management interface, is that a problem?
    I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
    The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
    the logs from the WLC shows this, but i have difficulties interpreting all this data:
    *apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
    *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
    *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
    *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
    *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)

    yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
    One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
    Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
    dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
    Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
    Received EAPOL START from mobile 3c:c2:43:94:3e:bc
    dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
    I also note this: "Applying Local Bridging Interface Policy for station "
    What does this means?

  • 802.1x trouble: Can't get Nortel IP Phone to authenticate to NPS server through HP ProCurve switch

    I've been working on getting 802.1x set up.  I've so far gotten WinXP clients to authenticate through our HP ProCurve switch to the NPS server using PEAP/EAP-MSCHAPv2, and to put different authorized users on different VLANs based on AD Groups, as well
    as unauthorized users onto a separate VLAN.  Also, the switch is using the NPS server for securing management logons.
    However, when I configure and plug in a Nortel phone, I can see the EAP packets going to the switch, which then send the Access-Request message to the NPS server.  On the NPS server, I can see that the NIC receives the Access-Request packet, but it
    never responds to it.  When I compare the packet to an Access-Request packet from a WinXP client, the only differences I can see are User-Name (1), Port (5), Port-ID (87), Calling-Station-ID (31) and the EAP-Message (79), which to me are the fields that
    *should* be different.  I can also see that the packet is coming in on the correct port (1812).  Nothing gets logged in Event Viewer, nor in the NPS log (c:\windows\system32\logfiles\inDDMMYY.log).
    It's my understanding that at least, I should be getting an IAS_NO_POLICY_MATCH in the log, as I haven't set up a policy for it yet.  Also, if I set up a dummy policy to accept all requests on all days and times, using any authentication method, I still
    get nothing.
    The phone is set to use PEAP, but if I understand correctly, even if that was set wrong, I should at least see an Access-Challenge response packet from the server; PEAP doesn't factor in quite that early.  Or do I misunderstand?
    Any help would be appreciated.

    Thanks for the reply.
    > At the command prompt, type the following command, and then press ENTER:
    > auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
    I had read about that previously.  I had checked whether it was enabled or not, and it only had failure enabled.  So following the recomendation on that
    page, I disabled both, then enabled both.  So yes, it's currently enabled.  And after this, I tried both the PC and phone again, and while I saw the PC's authentication succeed in the Event Log, I still see nothing for the phone.
    > PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as Extensible
    Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), that can operate through the TLS encrypted channel provided by PEAP.
    Yeah, but
    if I understand correctly (and I'm going to read your link right after I post this), after the switch sends the initial Access-Request message in the clear, the RADIUS server should then respond with an Access-Challenge to begin securing the connection beween
    itself and the phone, regardless of what the phone has set for it's security type.  If the phone can't talk in a way that the server is set to accept, then it won't respond to the Access-Challenge packet, but the server should be sending that Access-Challenge
    in the first place.  Or is there something I've missed in the Access-Request packet that specifies what security type(s) it can handle?  I thought that happened after the Access-Challenge?
    > Please also provide us the type of your Nortel IP Phone, because some types of Nortel IP Phone may only support EAP-MS-CHAP v1 which is not supported by Windows
    2008. We also suggest that you might post your issue on Nortel forums to ask for some more help.
    I'm
    using a Nortel 1120e phone for testing; we also have 1140e phones that will be used with this when it's working, but they should be the same as far as this setup is concerned.  I read somewhere that perhaps the Nortel phones only support PEAP-MD5, which
    doesn't seem to be an option in NPS without a reghack.  I'm also following up with our Nortel support locally, as the phone itself and the manual for the phone only says "PEAP" without specifying what it's using inside, but right now I'm trying to determine
    whether the problem lies with the phone or the server or both.  So I thought I'd ask the experts here.
    FWIW,
    I've been testing using a HP ProCurve 3400cl with the lastest firmware.  I've managed to get the same setup on a Cisco Catalyst 3550 switch, also on it's latest firmware, and I get the same results.  The PCs can authenticate, the phone can't; NPS
    still isn't responding.

  • NPS Server Sizing - Millions of Connections

    Hello --
    I am looking for server sizing requirements for the NPS server which could potentially serve millions of devices. 
    I've seen the previous post related to sizing found here:  https://social.technet.microsoft.com/Forums/windowsserver/en-US/a4b21739-1416-416f-80d1-434e03e86434/sizing-reccomendations-for-nps
    Any recommendations or documents you can provide would be helpful.
    Thank You!

    Hi,
    Based on your description, you would like to find related documents about how many clients one NPS server can serve or how many authentication requests one NPS server can process.
    As far as I know, there is no similar document from Microsoft about this.
    Greg’s post gave detailed information about this issue. And the article which Greg provided
    Best Practices for NPS(http://technet.microsoft.com/en-us/library/cc771746(v=WS.10).aspx ) is a good reference about NPS.
    In this article, it mentions some best practices about using NPS in large organizations. Such as, if NPS server receive a very large number of authentication requests per
    second, we can improve performance by increasing the number of concurrent authentications between NPS and the DC.
    Best Regards,
    Tina

  • How many NPS server can be registered as radius server in AD

    Hi
    We are using 2x Microsoft (2008 R2 Ent) NPS radius servers for our Wifi authentication for two different SSID on Aerohive WLAN network. 
    Trying to setup radius authentication for our Cisco Network devices and trying to use one of the radius server which we are using for our wifi auth. Followed all the steps but auth keep failing and now I am getting to the point where I am ready to deploy
    new NPS server for this.
    Before I go ahead and complete the install and register the new radius server in our AD, I would like to know if there is a limit for how many radius servers can be registered in Microsoft Active Directory.
    Thanks Heaps
    Sid

    I believe from the older versions, that the limit was 256? But of course, we wouldn't want to go that far.
    If you are trying to configure a Cisco device and you have a Cisco 24/7 Gold Support contract, they will help you and step you through it on both the Cisco side and the Windows side. I've used them before for a Cisco AP 1231 a few years back, and their support
    was phenomenal and well worth the price of the contract.
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • 2 ssid with 802.1x NPS server

    hi
    i have a 1140 AP and i have an ssid on it authenticate users from NPS server.
    but now i need to conifure on it 2 ssid  with different vlans each ssid authenticate from the same NPS server but with diferent groups.
    how could i do this ?

    Hello there..
    Below link are config examples
    http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
    VLANS on a autonomous example
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml
    802.1X example
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
    NPS 802.1X config info
    http://blogs.technet.com/b/nap/archive/2008/06/19/nap-802-1x-configuration-walkthrough.aspx
    This should get you started ...

  • AD user login or services will affect if we add new NPS server in existing AD environment ?

    Hi
    We have three Domain controllers in our company in Windows 2008 R2 platform and different RODCs .We would like to add an additional NPS server in it.Existing AD user login or services will affect by this?

    Hi,
    Based on my research, if the NPS server is a member of an AD DS domain, NPS uses the directory service as its user account database and is part of
    a single sign-on solution. The same set of credentials is used for network access control and to log on to an AD DS domain. NPS will compare user credentials that it receives from network access servers with the credentials that are stored for the user
    account in AD DS to perform authentication. Furthermore, NPS server uses network policy and checks user account dial-in properties in AD DS to authorize connection requests.
    For more information, please refer to the link below:
    Register the NPS Server in Active Directory Domain Services
    http://technet.microsoft.com/en-us/library/cc754878.aspx
    Best regards,
    Susie

  • Wireless with PEAP Authentication not working using new NPS server

    All,
    We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
    I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
    But it is not working for me. I am getting the following error message on the NPS server.
    Error # 1
    =======
    Cryptographic operation.
    Subject:
                Security ID:                 SYSTEM
                Account Name:                       MADXXX
                Account Domain:                    AD
                Logon ID:                    0x3e7
    Cryptographic Parameters:
                Provider Name:          Microsoft Software Key Storage Provider
                Algorithm Name:         RSA
                Key Name:      XXX-Wireless-NPS
                Key Type:       Machine key.
    Cryptographic Operation:
                Operation:       Decrypt.
                Return Code:  0x80090010
    Error # 2
    ======
    An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    I was wondering if anyone has any insight on what is going on.
    Thanks, Ds

    Scott,
    I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
    I  disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
    Cryptographic operation.
    Subject:
    Security ID: SYSTEM
    Account Name: MADHFSVNPSPI01$
    Account Domain: AD
    Logon ID: 0x3e7
    Cryptographic Parameters:
    Provider Name: Microsoft Software Key Storage Provider
    Algorithm Name: RSA
    Key Name: DOT-Wireless-NPS
    Key Type: Machine key.
    Cryptographic Operation:
    Operation: Decrypt.
    Return Code: 0x80090010
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: AD\mscdzs
    Account Name: AD\mscdzs
    Account Domain: AD
    Fully Qualified Account Name: AD\mscdzs
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 64-ae-0c-00-de-f0:DOT
    Calling Station Identifier: a0-88-b4-e2-79-cc
    NAS:
    NAS IPv4 Address: 130.47.128.7
    NAS IPv6 Address: -
    NAS Identifier: WISM2B
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 29
    RADIUS Client:
    Client Friendly Name: WISM2B
    Client IP Address: 130.47.128.7
    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
    Authentication Type: PEAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 23
    Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    Attached are EAP logs & debug logs from the controller.
    Thanks for all the help. I really appreciate.

  • Server 2012 NPS Server not authenticating IKEv2 requests

    Hello Experts,I am having a weird problem regarding NPS Server when I upgraded my vpn servers from server 2008 R2 to Server 2012 R2. Actually in my infrasturcture I have a Windows 2008 R2 based AD and in its domain I have an NPS server joined as member server. This NPS server is based on server 2012 R2, when I upgraded my VPN servers from server 2008 R2 to server 2012 R2 the IKEv2 stops working every other protocols works on windows 7 when I try to connect using IKEv2 it hangs at verifying username and password nad when I tested IKEv2 in Win 8 it says IKE authentication credentials are unacceptable, inspite that my server certificate is valid EKU compatible. When I connected IKEv2 via my other server whose server 2008 R2 based VPN Server The IKEv2 works like a charm without any issues successfully authenticating. The problem seems to...
    This topic first appeared in the Spiceworks Community

    Indeed the 255.255.255.255 subnet mask is expected for non-compliant clients.
    But my issue is that non-compliant clients get an IP address from the entire subnet and i want to assign only a specific
    range in my entire subnet/scope to be assigned to non-compliant clients. 
    It's funny you can specify an IP Address Range in the DHCP policy but then it doesnt work. 
    On the other hand you have a valid point there Greg about DNS/DHCP flooding.
    Still hope to hear why this setup will not work and if it is supported or can work tough :-)

  • 802.1x dynamic VLAN assignment with Radius NPS Server

    I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
    I have followed this documentation,
    http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
    that basically says to use these Radius attributes,
    Tunnel-Medium-Type : 802
    Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
    Tunnel-Type  : VLAN
    There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
    and I have also tried that,
    cisco-avpair= "tunnel-type(#64)=VLAN(13)"
    cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
    cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
    My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
    Anybody know how to get dynamic VLAN assignment working with NPS?
    NPS on Win 2012 R2
    Domain controller separate Win 2012 R2 server
    Cisco 3550 switch

    Hi All, Can any one guide me to
    configure 802.1x with acs 5.0. Its totally new look and m not able to
    find document related to 802.1x.Thanks
    Hi,
    Check out the below link on how to configure 802.1x and ACS administration hope to help !!
    http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
    Ganesh.H

  • WCS Image Path In Server

    Hi all
    I have a wcs installed with Every thing functioning properly.I am trying to see the path on which the floor plan get stored in the server.
    I would like to know that "is it possible to take the floorplan from the server" or "where is the image get stored in the server while uploading maps".
    I had seen in webnms-->Map image folder.But the folder is empty.
    Regards
    Danish

    Hi Danish:
    The maps are stored under /webnms/webacs/images/domainmaps
    When WCS is stopped, yes, it would be possible to copy/paste those files from that directory to some other, but I wouldn't recommend removing them or doing this while WCS is live.
    Sincerely,
    Rollin Kibbe
    Network Management Systems Team

  • NAP with DHCP with an external NPS server

    Hi ,
    I have setup NAP with DHCP setup in my lab setup  and it is working . On my setup both the DHCP server and NPS are running on the same Longhorn server .
    What  I would like to understand better is the communication between the DHCP server and the radius server ( i.e NPS ) .I would therefore  like to run these two components on two separate boxes and capture sniffer traces as the two are communicating.
    My question is what do I need to configure to have the DHCP server and  NPS to talk to each other since I will run them on two separate machines. Is there a write up that explains the interaction between the two .
    Thanks
     Mohammed Yassin

    I have configured NPS2 to proxy Machine Identity "Machine health check" to NPS1.  NPS2 is generating RADIUS Access-Requests when a client is attempting to obtain a DHCP address (as configured in the step by step doc) The RADIUS Access-Reject message is being returned, here is the output.  There is no user account in the originating request from NPS2, nor is the user account info present in the DHCP request by the NAP enabled client so I'm not sure how this should work.
    Log Name:      System
    Source:        IAS
    Date:          1/24/2007 9:25:47 AM
    Event ID:      2
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      NPS1
    Description:
    User <not present>  was denied access.
     Fully-Qualified-User-Name = <undetermined>
     Machine-Name = Infoblox-Vista1
     OS-Version = <not present>
     NAS-IP-Address = 192.168.0.3
     NAS-IPv6-Address = <not present>
     NAS-Identifier = NPS2
     Called-Station-Identifier = 192.168.0.0
     Calling-Station-Identifier = 001641E14B12
     Client-Friendly-Name = NPS2
     Client-IP-Address = 192.168.0.3
     Client-IPv6-Address = <not present>
     NAS-Port-Type = Ethernet
     NAS-Port = <not present>
     Proxy-Policy-Name = Use Windows authentication for all users
     Policy-Name = Connections to other access servers
     Authentication-Provider = Windows
     Authentication-Server = NPS1.idblox.com
     Authentication-Type = Unauthenticated
     EAP-Type = <undetermined>
     Account-Session-Identifier=349348166
     Reason-Code = 65
     Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="IAS" />
        <EventID Qualifiers="32768">2</EventID>
        <Level>3</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2007-01-24T17:25:47.000Z" />
        <EventRecordID>38921</EventRecordID>
        <Channel>System</Channel>
        <Computer>NPS1</Computer>
        <Security />
      </System>
      <EventData>
        <Data>%%2147483686</Data>
        <Data>%%2147483685</Data>
        <Data>Infoblox-Vista1</Data>
        <Data>%%2147483686</Data>
        <Data>192.168.0.3</Data>
        <Data>%%2147483686</Data>
        <Data>NPS2</Data>
        <Data>192.168.0.0</Data>
        <Data>001641E14B12</Data>
        <Data>NPS2</Data>
        <Data>192.168.0.3</Data>
        <Data>%%2147483686</Data>
        <Data>Ethernet</Data>
        <Data>%%2147483686</Data>
        <Data>Use Windows authentication for all users</Data>
        <Data>Connections to other access servers</Data>
        <Data>%%2147483688</Data>
        <Data>NPS1.idblox.com</Data>
        <Data>Unauthenticated</Data>
        <Data>%%2147483685</Data>
        <Data>349348166</Data>
        <Data>65</Data>
        <Data>%%3221229633</Data>
        <Binary>00000000</Binary>
      </EventData>
    </Event>

  • WCS 4.2.81 Server Backup

    Does anyone have the automatic backup working in WCS? I have it enabled and set to every 3 days at 17:00 currently and it refuses to run. It's only performed 1 automatic backup for me ever when I had it set to 01:00 and then it stopped. Curious as to what is going on.

    I experienced the same thing, so I upgraded to 4.2.97.0 and all is well with the backups now.

Maybe you are looking for

  • Not Allow 1st Character to Be a , or |

    In a SQL table on occasion (very rarely) the 1st character is a , or a | is there a way to update to remove so if that is the case, or is there a way to update if/when this occurs?  And if update is the best way to do such I would want to remove the

  • Image processing Error 810

    Please help with this issue. Is it a lack of memory? I still have 40 GB of memory on my machine and just added more RAM. Thanks - Jill Here's the problem: When I attempt to launch scripts>image processor, it tells me "Sorry something happened and I c

  • Choosing a cell depending on revolving Data

    I hope I can explain this correctly. I have one cell in Table 1 that I want to be a word from another cell from Table 2 Column A, depending on the data in Table 2 Column B For example, I have a table (Table 2) with 2 columns where Column A = Name, an

  • Acrobat Pro X color management

    We've just upgraded to Acrobat 10, and we have our own color management file. Even though I put it in the appropriate folder, it does not show up in the color management preferences window. Can anyone tell me how I can get my file to work? Thanks.

  • IBooks sync issues

    My ibooks don't sync properly with my iPhone.  When I de-select certain books it automatically re-selectes them during the sync process and ends up not taking them off my iphone.  Sometimes other books are automatically selected while others are not.