Solved

Need help resolving a WPA2-Enterprise authentication issue

Posted on 2015-02-14
9
151 Views
Last Modified: 2016-11-23
I have a dedicated pfSense box. The lan port feeds into a basic 8 port switch which supports a LinkSys WRT 1900AC access point, an old DC (DC1), and an eSXI 5.5 box.

ESXI is running a new DC (DC2) that used to be physical, but was virtualized.

pfSense
---switch
------Access point
------DC1
------ESXI
oooooDC2 <--VM

I hope that generic graphic makes sense. Anyhow, my AP can authenticate against DC1 without any problems however I cannot get it to authenticate against DC2. All the services and firewall settings are setup correctly. This machine worked fine when it was physical. Also I have tested other services (my kids minecraft server was running on it for a while) and they are accessible from the WAN side of the pfSense box so I know I have connectivity.

I was thinking maybe I needed to connect the AP to the second ESXI ethernet port maybe?? I am an ESXI novice so any direction would be greatly appreciated.  And if it helps, both the pfSense and ESXI boxes are running on Dell PowerEdge R210 servers. ESXI has 16GB of RAM and the pfSense has 8GB.
0
Comment
Question by:ejunkie247
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
9 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40610578
Are you running NPS on DC2?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40610822
Did the IP address of DC2 change? Is it on the same subnet as DC1 and the access point? Can you browse the file shares on DC2 from another computer? I an wondering if you did the ESXi networking correctly. It should be in bridge mode.
0
 

Author Comment

by:ejunkie247
ID: 40610928
DC2 retained the same IP address. It is statically set by the pfSense box which supplies DHCP for the entire network so, yes, they are all on the same subnet. From a laptop I can access all devices on the network. If I move an object from one OU on either DC it replicates over to the other a few moments later. I can even use LDAP to authenticate logins to the pfSense box using DC2 to authenticate against. Near as I can tell, it is only the wireless that cannot authenticate against DC2.

Pardon me for letting me "newbness" show, but how do you check to see if it is in bridged mode in ESXI? For the most part I left everything default and only changed things that seemed like they may need to be changed such as adding the DNS and gateway.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:ejunkie247
ID: 40610933
Craigbeck,
Yes, NPS is running on DC2. I replicated the setup on DC1 while DC2 was still a physical machine so I could switch between the two for maintenance and because DC1 is an aging system which I suspect will retire itself in the next year. At the time DC2 was virtualized it was being used as the day to day NPS server.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 40610949
It is very possible to setup a network connection where the VM is behind a NAT connection on the host. It sounds like that is not happening here. I suggest running Wireshark on DC2 and see if it is seeing the RADIUS traffic from the AP. If you can run Wireshark to capture all of the AP traffic that would be helpful too.

If you run 'netstat -a' on DC2 do you see a listening port that you expect for NPS?
0
 

Author Comment

by:ejunkie247
ID: 40610990
netstat -a does show that DC2 is listening for traffic in 389, 1812, and 1813 as I had expected. I ran wireshark and I did not get the traffic when I attempted to authenticate. On a whim, I decided to remove one hop. My AP has been physically connected to the switch and so was ESXI. So I directly connected ESXI to the AP and the traffic is getting through now. I still cannot authenticate, but at least I know the traffic is getting through. I am not sure what is going on with my switch that could be causing this, but at least it is a step forward.

Thank you!
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 40611098
OK can you check the custom logs on DC2 to see if authentication requests are being seen by the NPS service?
0
 

Author Comment

by:ejunkie247
ID: 40611192
Craigbeck,
This is priceless. So prior to virtualization I had two drives in DC2, one for the OS and all data storage, the other was just transient data for the most part. Since the second drive was not linked to anything like network shares, I pulled it before virtualizing. It never occurred to me that my accounting log was being written to it. As such, my accounting log was pointed to a folder location that did not exist. I'm sure I must have overlooked some event logs pertaining to this.

Anyhow, I pointed the log to a freshly created folder that does exist and tried again. Low and behold it worked.

Between the switch issue and the log issue I was rapidly going mad. Thank you both for your assistance with this!!! :)
0
 

Author Closing Comment

by:ejunkie247
ID: 40611196
The feedback and troubleshooting suggestions resolved the two contributing conditions that caused my problem ... Thank you both!!!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question