Experience with Cisco wireless and NPS?

sbumpas
sbumpas used Ask the Experts™
on
I'm trying to configure my Cisco wireless APs to authenticate via NPS.  I had this config working fine under 2003 IAS, but rehoming the IP address on the APs to the new NPS server didn't do the trick, even after I configure a new policy that matches (as closely as possible) the 2003 IAS policy.

The new NPS server is also in a new domain, so I set up a new enterprise CA which the PEAP config recognizes.  Does anyone have ayn tips/gotchas for this config?  I'm not sure why NPS would be siginficantly more complex than IAS, but it's proving to be as such.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Did you configure the wireless AP as a radius client on the NPS?  The configuration between the IAS and the 2008 version NPS are really similar.  There is also a setting that you need to do to give NPS access to AD did you complete that step already?

Author

Commented:
The wireless AP is configured as a radius client, with matching shared secret.

Where can I verify NPS/AD access?

Author

Commented:
I found it; yes NPS is registered in AD.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

The globe icon in AD NPS(local) right click and it says register in active directory.

Another thing you can do is check the event logs when a client trys to connect, and you can also debug Radius information on the AP?

Also check what order the remote access policies are set in NPS this can affect the outcome also.

Author

Commented:
There is only 1 access policy, it was created via template in NPS (Configure 802.1x for RADIUS server for 802.1x Wireless/wired connections).  I think that's the part throwing me, unless MS' template is no good?

Cisco has confirmed that AP config is good, especially because it works fine when I point the WDS back towards my 2003 server.
Do you see and NPS errors in the windows event logs that is also a good place to track this down.  I recall there are the 2 default access policies are they still there and is yours above that?

In the connection request settings make sure EAP is also added to that list of authentication methods along with the network policies being configured.

Author

Commented:
The error I'm seeing in the event log is "The user attempted to use an authentication method that is not enabled on the matching network policy." - but my client config hasn't changed at all.

My policy is above the 2 defaults, and they are still present.

Does a certificate need to be generated manually for this?  PEAP config shows a cert, but I didn't create it, it merely appeared after installing my enterprise CA.
did you check the connection policy settings also in the folder just above where the policy is set up?

They control access too, and another thought, I am not sure but somewhere it may be trying to use MSCHAP_V2 for the password part I don't know what you have enabled?

Author

Commented:
Should MSCHAP_v2 be disabled completely when I use PEAP?  ther'es another setting for MSCHAP_v2 in the PEAP settings, and that keeps throwing me off.

Any idea what the RADIUS attributes should be for the Network Policy?
Peap should be working with out it, but even the error mentions that a authentication protocol was used that was not enables, try adding more choices until you can figure out which one is required?
Commented:
After creating a new policy line-by-line to match my original 2003 IAS policy, I came up with this error and solution:

The user attempted to use an authentication method that is not enabled

When you use NAP with 802.1X or VPN enforcement, you must configure settings in the connection request policy to override network policy authentication settings. If this setting is not enabled, NPS will deny network access requests by NAP client computers with the following reason: “The user attempted to use an authentication method that is not enabled on the matching network policy.” To fix this issue, configure connection request policy to override network policy authentication settings.
To configure connection request policy to override network policy authentication

   1.

      On the server running NPS, click Start, click Run, type nps.msc, and press ENTER.
   2.

      In the console tree, open Policies\Connection Request Policies.
   3.

      In the details pane, right-click the name of your connection request policy for 802.1X or VPN connections, and then click Properties.
   4.

      Click the Settings tab, click Authentication Methods, select Override network policy authentication settings, and then click OK.


In 2003, apparently you didn't need to specify authentication type in the connection request policy, whereas with 2008[R2] you do.  Thanks!
Hey thanks for the update sorry I couldn't help I am glad its working

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial