LobbyAmbassador / WCS -- 4xWLC's / NPS server
Hi,
Quick run down:
* v7.0.240
* WCS managing 4x WLC's
* Lobby Ambassador account created on WCS to manage users connecting to the WCS via RADIUS and have permissions to create guest accounts
* profile for guest access is created fine
- when logging in with the LOCAL lobby account created initially (not RADIUS) the default settings remain fine
- when logging in with RADIUS the default settings created in the profile do not remain the same, they can change
RADIUS ATTRIBUTES configured on the LobbyAmbassador group and the NPS server:
Wireless-WCS:role0=LobbyAmbassador
Wireless-WCS:task0=Configure Guest Users
Wireless-WCS:task1=Lobby Ambassador User Preferences
Am i missing something? What do I need to configure (attribute wise) to prevent the RADIUS users being able to modify the WCS lobbyambassador profile configured?
please check the link :
https://supportforums.cisco.com/discussion/11137666/wcs-lobby-ambassador-aaa-authentication
Similar Messages
-
Need for NPS server certificate with PEAP-MS-CHAPv2
Hi,
I have a question about a small setup I'm currently testing. In a Wireless access with 802.1X authentication based on PEAP/MS-CHAPv2, and a NPS server (MS server 2012R2), I've noted reading technet documentation that the NPS server or other RADIUS server
do have a certificate (issued by a 3rd party CA or by an AD CS environment).
However, it remains for me a point I would like to clarify (sorry I surely have a bad understanding of documentation). If my client is configured for not "validate server certificate", do I still need to have a certificate on the NPS server ?
Well, I know it is not secured, but this will permit me to test without configuring an AD CS, and without buying a certificate.
Many thanks in advance for your answer.
Regards,
FabriceYou also need a server certificate in this case as the protection in Protected EAP is due to the encryption of the TLS session.
Not validating the server certificate just means that no additional check of the name is done, so the client would be able to connect to any RADIUS server - given that its certificate chain is valid. But the certificate chain as such is checked as in every
SSL handshake.
You don't need a certificate issued by a commercial CA though - you could use an inhouse PKI. For tests you could use a self-signed certificate as well.
Edit: If you want to test self-signed certificates the easiest way is probably to install the web server role and use its built-in option to create a self-signed certificate.
Elke -
RADIUS Authentication Problems with NPS Server Eventid 6274
Hi,
We have struggled for a while with RADIUS auth for some clients against an NPS Server when the user or computer tries to connect to the wireless network the following error can be seen on the NPS server:
Network Policy Server discarded the request for a user
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: host/hostname.domainname.com
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 40-20-B1-F4-BB-15:Wireless-SSID
Calling Station Identifier: C1-18-85-08-10-E1
NAS:
NAS IPv4 Address: 192.168.10.10
NAS IPv6 Address: -
NAS Identifier: AP name
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: name
Client IP Address: 192.168.10.10
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS servername
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 3
Reason: The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: domainname\username
Account Domain: -
Fully Qualified Account Name: -
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 20-18-B1-F4-BB-15:Wireless-SSID
Calling Station Identifier: 09-3E-8E-3E-5A-C9
NAS:
NAS IPv4 Address: 192.168.10.10
NAS IPv6 Address: -
NAS Identifier: AP name
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: name
Client IP Address: 192.168.10.10
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NPS server name
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 3
Reason: The RADIUS Request message that Network Policy Server received from the network access server was malformed.
Message seen from the AP's logs:
(317)IEEE802.1X auth is starting (at if=wifi0.2)
(318)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=157 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(319)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=157 length=90
(320)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=158 length=286, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(321)Send message to RADIUS Server(192.168.60.166): code=1 (Access-Request) identifier=161 length=162, User-Name=domain\username NAS-IP-Address=192.168.10.10 Called-Station-Id=40-18-B1-F4-BB-15:Wireless-SSID Calling-Station-Id=C0-18-85-08-10-E1
(322)Receive message from RADIUSServer: code=11 (Access-Challenge) identifier=161 length=90 BASIC
Output omitted
(330)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
We have other NPS Servers with corresponding policy settings which are working so I am having trouble to understand why this errors occurs.
Initally the problem seemed to be related to the Cert on the NPS server cause it used the cert generated from the Somputer template. Now it uses the template for Domain controller just as the other NPS servers so this should not be the issue(Not sure if
this matters?)
Please guide me on how to take this further
Thank you :)
//CrisHi,
NPS Event ID: 6274.
This condition occurs when the NPS discards accounting requests because the structure of the accounting request message that was sent by a RADIUS client does not comply with the RADIUS protocol. You should reconfigure, upgrade, or replace the RADIUS client.
Detailed information reference:
Event ID 6274 — NPS Accounting Request Message Processing
https://technet.microsoft.com/en-us/library/cc735339(v=WS.10).aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Config RADIUS on WLC 5508 - Problems comunication with NPS Server
Hi,
I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
My WLAN interface is in a different vlan than the management interface, is that a problem?
I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
the logs from the WLC shows this, but i have difficulties interpreting all this data:
*apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
*apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
*Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
Received EAPOL START from mobile 3c:c2:43:94:3e:bc
dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
I also note this: "Applying Local Bridging Interface Policy for station "
What does this means? -
I've been working on getting 802.1x set up. I've so far gotten WinXP clients to authenticate through our HP ProCurve switch to the NPS server using PEAP/EAP-MSCHAPv2, and to put different authorized users on different VLANs based on AD Groups, as well
as unauthorized users onto a separate VLAN. Also, the switch is using the NPS server for securing management logons.
However, when I configure and plug in a Nortel phone, I can see the EAP packets going to the switch, which then send the Access-Request message to the NPS server. On the NPS server, I can see that the NIC receives the Access-Request packet, but it
never responds to it. When I compare the packet to an Access-Request packet from a WinXP client, the only differences I can see are User-Name (1), Port (5), Port-ID (87), Calling-Station-ID (31) and the EAP-Message (79), which to me are the fields that
*should* be different. I can also see that the packet is coming in on the correct port (1812). Nothing gets logged in Event Viewer, nor in the NPS log (c:\windows\system32\logfiles\inDDMMYY.log).
It's my understanding that at least, I should be getting an IAS_NO_POLICY_MATCH in the log, as I haven't set up a policy for it yet. Also, if I set up a dummy policy to accept all requests on all days and times, using any authentication method, I still
get nothing.
The phone is set to use PEAP, but if I understand correctly, even if that was set wrong, I should at least see an Access-Challenge response packet from the server; PEAP doesn't factor in quite that early. Or do I misunderstand?
Any help would be appreciated.Thanks for the reply.
> At the command prompt, type the following command, and then press ENTER:
> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
I had read about that previously. I had checked whether it was enabled or not, and it only had failure enabled. So following the recomendation on that
page, I disabled both, then enabled both. So yes, it's currently enabled. And after this, I tried both the PC and phone again, and while I saw the PC's authentication succeed in the Event Log, I still see nothing for the phone.
> PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as Extensible
Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), that can operate through the TLS encrypted channel provided by PEAP.
Yeah, but
if I understand correctly (and I'm going to read your link right after I post this), after the switch sends the initial Access-Request message in the clear, the RADIUS server should then respond with an Access-Challenge to begin securing the connection beween
itself and the phone, regardless of what the phone has set for it's security type. If the phone can't talk in a way that the server is set to accept, then it won't respond to the Access-Challenge packet, but the server should be sending that Access-Challenge
in the first place. Or is there something I've missed in the Access-Request packet that specifies what security type(s) it can handle? I thought that happened after the Access-Challenge?
> Please also provide us the type of your Nortel IP Phone, because some types of Nortel IP Phone may only support EAP-MS-CHAP v1 which is not supported by Windows
2008. We also suggest that you might post your issue on Nortel forums to ask for some more help.
I'm
using a Nortel 1120e phone for testing; we also have 1140e phones that will be used with this when it's working, but they should be the same as far as this setup is concerned. I read somewhere that perhaps the Nortel phones only support PEAP-MD5, which
doesn't seem to be an option in NPS without a reghack. I'm also following up with our Nortel support locally, as the phone itself and the manual for the phone only says "PEAP" without specifying what it's using inside, but right now I'm trying to determine
whether the problem lies with the phone or the server or both. So I thought I'd ask the experts here.
FWIW,
I've been testing using a HP ProCurve 3400cl with the lastest firmware. I've managed to get the same setup on a Cisco Catalyst 3550 switch, also on it's latest firmware, and I get the same results. The PCs can authenticate, the phone can't; NPS
still isn't responding. -
NPS Server Sizing - Millions of Connections
Hello --
I am looking for server sizing requirements for the NPS server which could potentially serve millions of devices.
I've seen the previous post related to sizing found here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a4b21739-1416-416f-80d1-434e03e86434/sizing-reccomendations-for-nps
Any recommendations or documents you can provide would be helpful.
Thank You!Hi,
Based on your description, you would like to find related documents about how many clients one NPS server can serve or how many authentication requests one NPS server can process.
As far as I know, there is no similar document from Microsoft about this.
Greg’s post gave detailed information about this issue. And the article which Greg provided
Best Practices for NPS(http://technet.microsoft.com/en-us/library/cc771746(v=WS.10).aspx ) is a good reference about NPS.
In this article, it mentions some best practices about using NPS in large organizations. Such as, if NPS server receive a very large number of authentication requests per
second, we can improve performance by increasing the number of concurrent authentications between NPS and the DC.
Best Regards,
Tina -
How many NPS server can be registered as radius server in AD
Hi
We are using 2x Microsoft (2008 R2 Ent) NPS radius servers for our Wifi authentication for two different SSID on Aerohive WLAN network.
Trying to setup radius authentication for our Cisco Network devices and trying to use one of the radius server which we are using for our wifi auth. Followed all the steps but auth keep failing and now I am getting to the point where I am ready to deploy
new NPS server for this.
Before I go ahead and complete the install and register the new radius server in our AD, I would like to know if there is a limit for how many radius servers can be registered in Microsoft Active Directory.
Thanks Heaps
SidI believe from the older versions, that the limit was 256? But of course, we wouldn't want to go that far.
If you are trying to configure a Cisco device and you have a Cisco 24/7 Gold Support contract, they will help you and step you through it on both the Cisco side and the Windows side. I've used them before for a Cisco AP 1231 a few years back, and their support
was phenomenal and well worth the price of the contract.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
2 ssid with 802.1x NPS server
hi
i have a 1140 AP and i have an ssid on it authenticate users from NPS server.
but now i need to conifure on it 2 ssid with different vlans each ssid authenticate from the same NPS server but with diferent groups.
how could i do this ?Hello there..
Below link are config examples
http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
VLANS on a autonomous example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml
802.1X example
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
NPS 802.1X config info
http://blogs.technet.com/b/nap/archive/2008/06/19/nap-802-1x-configuration-walkthrough.aspx
This should get you started ... -
AD user login or services will affect if we add new NPS server in existing AD environment ?
Hi
We have three Domain controllers in our company in Windows 2008 R2 platform and different RODCs .We would like to add an additional NPS server in it.Existing AD user login or services will affect by this?Hi,
Based on my research, if the NPS server is a member of an AD DS domain, NPS uses the directory service as its user account database and is part of
a single sign-on solution. The same set of credentials is used for network access control and to log on to an AD DS domain. NPS will compare user credentials that it receives from network access servers with the credentials that are stored for the user
account in AD DS to perform authentication. Furthermore, NPS server uses network policy and checks user account dial-in properties in AD DS to authorize connection requests.
For more information, please refer to the link below:
Register the NPS Server in Active Directory Domain Services
http://technet.microsoft.com/en-us/library/cc754878.aspx
Best regards,
Susie -
Wireless with PEAP Authentication not working using new NPS server
All,
We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
But it is not working for me. I am getting the following error message on the NPS server.
Error # 1
=======
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADXXX
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: XXX-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Error # 2
======
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
I was wondering if anyone has any insight on what is going on.
Thanks, DsScott,
I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
I disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADHFSVNPSPI01$
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: DOT-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: AD\mscdzs
Account Name: AD\mscdzs
Account Domain: AD
Fully Qualified Account Name: AD\mscdzs
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 64-ae-0c-00-de-f0:DOT
Calling Station Identifier: a0-88-b4-e2-79-cc
NAS:
NAS IPv4 Address: 130.47.128.7
NAS IPv6 Address: -
NAS Identifier: WISM2B
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 29
RADIUS Client:
Client Friendly Name: WISM2B
Client IP Address: 130.47.128.7
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Attached are EAP logs & debug logs from the controller.
Thanks for all the help. I really appreciate. -
Server 2012 NPS Server not authenticating IKEv2 requests
Hello Experts,I am having a weird problem regarding NPS Server when I upgraded my vpn servers from server 2008 R2 to Server 2012 R2. Actually in my infrasturcture I have a Windows 2008 R2 based AD and in its domain I have an NPS server joined as member server. This NPS server is based on server 2012 R2, when I upgraded my VPN servers from server 2008 R2 to server 2012 R2 the IKEv2 stops working every other protocols works on windows 7 when I try to connect using IKEv2 it hangs at verifying username and password nad when I tested IKEv2 in Win 8 it says IKE authentication credentials are unacceptable, inspite that my server certificate is valid EKU compatible. When I connected IKEv2 via my other server whose server 2008 R2 based VPN Server The IKEv2 works like a charm without any issues successfully authenticating. The problem seems to...
This topic first appeared in the Spiceworks CommunityIndeed the 255.255.255.255 subnet mask is expected for non-compliant clients.
But my issue is that non-compliant clients get an IP address from the entire subnet and i want to assign only a specific
range in my entire subnet/scope to be assigned to non-compliant clients.
It's funny you can specify an IP Address Range in the DHCP policy but then it doesnt work.
On the other hand you have a valid point there Greg about DNS/DHCP flooding.
Still hope to hear why this setup will not work and if it is supported or can work tough :-) -
802.1x dynamic VLAN assignment with Radius NPS Server
I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
I have followed this documentation,
http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
that basically says to use these Radius attributes,
Tunnel-Medium-Type : 802
Tunnel-Pvt-Group-ID : My_VLAN_Number (also tried VLAN name)
Tunnel-Type : VLAN
There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
and I have also tried that,
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
My user authenticates on the port fine, but doesn't get put into a VLAN. If I add "sw acc vlan 110" then the user authenticates and then does get an IP address in that VLAN and all is well.
Anybody know how to get dynamic VLAN assignment working with NPS?
NPS on Win 2012 R2
Domain controller separate Win 2012 R2 server
Cisco 3550 switchHi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H -
Hi all
I have a wcs installed with Every thing functioning properly.I am trying to see the path on which the floor plan get stored in the server.
I would like to know that "is it possible to take the floorplan from the server" or "where is the image get stored in the server while uploading maps".
I had seen in webnms-->Map image folder.But the folder is empty.
Regards
DanishHi Danish:
The maps are stored under /webnms/webacs/images/domainmaps
When WCS is stopped, yes, it would be possible to copy/paste those files from that directory to some other, but I wouldn't recommend removing them or doing this while WCS is live.
Sincerely,
Rollin Kibbe
Network Management Systems Team -
NAP with DHCP with an external NPS server
Hi ,
I have setup NAP with DHCP setup in my lab setup and it is working . On my setup both the DHCP server and NPS are running on the same Longhorn server .
What I would like to understand better is the communication between the DHCP server and the radius server ( i.e NPS ) .I would therefore like to run these two components on two separate boxes and capture sniffer traces as the two are communicating.
My question is what do I need to configure to have the DHCP server and NPS to talk to each other since I will run them on two separate machines. Is there a write up that explains the interaction between the two .
Thanks
Mohammed YassinI have configured NPS2 to proxy Machine Identity "Machine health check" to NPS1. NPS2 is generating RADIUS Access-Requests when a client is attempting to obtain a DHCP address (as configured in the step by step doc) The RADIUS Access-Reject message is being returned, here is the output. There is no user account in the originating request from NPS2, nor is the user account info present in the DHCP request by the NAP enabled client so I'm not sure how this should work.
Log Name: System
Source: IAS
Date: 1/24/2007 9:25:47 AM
Event ID: 2
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: NPS1
Description:
User <not present> was denied access.
Fully-Qualified-User-Name = <undetermined>
Machine-Name = Infoblox-Vista1
OS-Version = <not present>
NAS-IP-Address = 192.168.0.3
NAS-IPv6-Address = <not present>
NAS-Identifier = NPS2
Called-Station-Identifier = 192.168.0.0
Calling-Station-Identifier = 001641E14B12
Client-Friendly-Name = NPS2
Client-IP-Address = 192.168.0.3
Client-IPv6-Address = <not present>
NAS-Port-Type = Ethernet
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Policy-Name = Connections to other access servers
Authentication-Provider = Windows
Authentication-Server = NPS1.idblox.com
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Account-Session-Identifier=349348166
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="IAS" />
<EventID Qualifiers="32768">2</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-01-24T17:25:47.000Z" />
<EventRecordID>38921</EventRecordID>
<Channel>System</Channel>
<Computer>NPS1</Computer>
<Security />
</System>
<EventData>
<Data>%%2147483686</Data>
<Data>%%2147483685</Data>
<Data>Infoblox-Vista1</Data>
<Data>%%2147483686</Data>
<Data>192.168.0.3</Data>
<Data>%%2147483686</Data>
<Data>NPS2</Data>
<Data>192.168.0.0</Data>
<Data>001641E14B12</Data>
<Data>NPS2</Data>
<Data>192.168.0.3</Data>
<Data>%%2147483686</Data>
<Data>Ethernet</Data>
<Data>%%2147483686</Data>
<Data>Use Windows authentication for all users</Data>
<Data>Connections to other access servers</Data>
<Data>%%2147483688</Data>
<Data>NPS1.idblox.com</Data>
<Data>Unauthenticated</Data>
<Data>%%2147483685</Data>
<Data>349348166</Data>
<Data>65</Data>
<Data>%%3221229633</Data>
<Binary>00000000</Binary>
</EventData>
</Event> -
WCS 4.2.81 Server Backup
Does anyone have the automatic backup working in WCS? I have it enabled and set to every 3 days at 17:00 currently and it refuses to run. It's only performed 1 automatic backup for me ever when I had it set to 01:00 and then it stopped. Curious as to what is going on.
I experienced the same thing, so I upgraded to 4.2.97.0 and all is well with the backups now.
Maybe you are looking for
-
Not Allow 1st Character to Be a , or |
In a SQL table on occasion (very rarely) the 1st character is a , or a | is there a way to update to remove so if that is the case, or is there a way to update if/when this occurs? And if update is the best way to do such I would want to remove the
-
Please help with this issue. Is it a lack of memory? I still have 40 GB of memory on my machine and just added more RAM. Thanks - Jill Here's the problem: When I attempt to launch scripts>image processor, it tells me "Sorry something happened and I c
-
Choosing a cell depending on revolving Data
I hope I can explain this correctly. I have one cell in Table 1 that I want to be a word from another cell from Table 2 Column A, depending on the data in Table 2 Column B For example, I have a table (Table 2) with 2 columns where Column A = Name, an
-
Acrobat Pro X color management
We've just upgraded to Acrobat 10, and we have our own color management file. Even though I put it in the appropriate folder, it does not show up in the color management preferences window. Can anyone tell me how I can get my file to work? Thanks.
-
My ibooks don't sync properly with my iPhone. When I de-select certain books it automatically re-selectes them during the sync process and ends up not taking them off my iphone. Sometimes other books are automatically selected while others are not.