sbumpas
asked on
Experience with Cisco wireless and NPS?
I'm trying to configure my Cisco wireless APs to authenticate via NPS. I had this config working fine under 2003 IAS, but rehoming the IP address on the APs to the new NPS server didn't do the trick, even after I configure a new policy that matches (as closely as possible) the 2003 IAS policy.
The new NPS server is also in a new domain, so I set up a new enterprise CA which the PEAP config recognizes. Does anyone have ayn tips/gotchas for this config? I'm not sure why NPS would be siginficantly more complex than IAS, but it's proving to be as such.
The new NPS server is also in a new domain, so I set up a new enterprise CA which the PEAP config recognizes. Does anyone have ayn tips/gotchas for this config? I'm not sure why NPS would be siginficantly more complex than IAS, but it's proving to be as such.
Cheever000
Did you configure the wireless AP as a radius client on the NPS? The configuration between the IAS and the 2008 version NPS are really similar. There is also a setting that you need to do to give NPS access to AD did you complete that step already?
ASKER
The wireless AP is configured as a radius client, with matching shared secret.
Where can I verify NPS/AD access?
Where can I verify NPS/AD access?
ASKER
I found it; yes NPS is registered in AD.
The globe icon in AD NPS(local) right click and it says register in active directory.
Another thing you can do is check the event logs when a client trys to connect, and you can also debug Radius information on the AP?
Also check what order the remote access policies are set in NPS this can affect the outcome also.
Another thing you can do is check the event logs when a client trys to connect, and you can also debug Radius information on the AP?
Also check what order the remote access policies are set in NPS this can affect the outcome also.
ASKER
There is only 1 access policy, it was created via template in NPS (Configure 802.1x for RADIUS server for 802.1x Wireless/wired connections). I think that's the part throwing me, unless MS' template is no good?
Cisco has confirmed that AP config is good, especially because it works fine when I point the WDS back towards my 2003 server.
Cisco has confirmed that AP config is good, especially because it works fine when I point the WDS back towards my 2003 server.
Do you see and NPS errors in the windows event logs that is also a good place to track this down. I recall there are the 2 default access policies are they still there and is yours above that?
In the connection request settings make sure EAP is also added to that list of authentication methods along with the network policies being configured.
In the connection request settings make sure EAP is also added to that list of authentication methods along with the network policies being configured.
ASKER
The error I'm seeing in the event log is "The user attempted to use an authentication method that is not enabled on the matching network policy." - but my client config hasn't changed at all.
My policy is above the 2 defaults, and they are still present.
Does a certificate need to be generated manually for this? PEAP config shows a cert, but I didn't create it, it merely appeared after installing my enterprise CA.
My policy is above the 2 defaults, and they are still present.
Does a certificate need to be generated manually for this? PEAP config shows a cert, but I didn't create it, it merely appeared after installing my enterprise CA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Should MSCHAP_v2 be disabled completely when I use PEAP? ther'es another setting for MSCHAP_v2 in the PEAP settings, and that keeps throwing me off.
Any idea what the RADIUS attributes should be for the Network Policy?
Any idea what the RADIUS attributes should be for the Network Policy?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hey thanks for the update sorry I couldn't help I am glad its working