Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How do I configure Network Policy Server to authenticate Web CaptivePortal requests for wireless?

Posted on 2011-05-12
Medium Priority
Last Modified: 2012-06-21
I need assistance setting up a Windows 2008 Network Policy Server to be used as a radius server for a Web Captive Portal used to authenticate users allowed to connect to a wireless network.
I have PEAP set up and operational for domain joined workstations, but I need a separate authentication method set up for non-domain clients and so I created a separate WiFi network to use Captive Portal web authentication, but I can't get the portal to successfully authenticate the user attempting to connect.
Question by:byt3
  • 3

Author Comment

ID: 35773884
More Information:

I have done more digging and found that when the RADIUS client (Meru 4100 Controller) sends the access request, the Network Policy Server doesn't respond.  In the event view I found "An Access-Request message was recieved from RADIUS client <ip address> with a message authenticator request attribute that is not valid." It appears as though the 'message authenticator attribute' is invalid and therefore the NPS doesn't respond at all (proper behaviour according to the RFC article from what I understand).

Domain joined computers are configured with certificates and those computers have no problem joining the domain using an SSID that authenticates using PEAP and does not cause the NPS to get the error about the message authenticator attribute.
I only have this problem when the web captive portal from the Meru 4100 mobility controller tries to authenticate the credentials the user enters in.

Accepted Solution

byt3 earned 0 total points
ID: 35774066
Well, turns out there was something goofed up on the Meru 4100 somehow.  I changed the shared secrect between the Meru mobility controller and the Network Policy Server and then everything started working.

I originally had Network Policy Server console generate a random shared secret to use and so I coped and pasted it into the RADIUS settings in the Meru controller.  The reason this didn't strike me as the issue to begin with is that the shared secret wasn't a problem when the stations using PEAP connected only when the clients using the web captive portal connected (in Meru4100 controller you create a 'RADIUS' profile then configure the setups to use that profile and both setups were using the same single 'RADIUS' profile).

I wonder if there is some glitch with the Meru controller and using a shared secret that is too long or something like that.  I'll leave this question open temporarily to find out if this is a known bug.

Author Comment

ID: 35778376
No furthur information as to where the fault was, but recreating the shared sercret did fix it.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question