Windows 2008R2 NPS wired clients not authenticating via 802.1x

Microsoft Windows 2008 R2 Server NPS

I recently set up a Microsoft Windows 2008 R2 Server running an AD, DNS, Certificate Authority, and NPS.  The goal is to authenticate wireless and wired clients via EAP/TLS and PEAP-MSCHAPv2.

Currently, the wireless clients are authenticating with both PEAP/MSCHAPv2 and EAP/TLS as expected.

The wireless network is a Cisco 2504WLAN controller running 8.2.112 firmware.

However, none of my wired clients will authenticate with either EAP Type.  I do know they are contacting the NPS server because each time I initiate a connection I receive the following events.

4672, 4624 and 4634



 

 

 

The NPS event log does not have any entries in the system for when my wired clients attempt to authenticate.

I have tested with two different switches’.  One is a Cisco 3560CX running IOS 15.2 and the other is a NetGear GS110TP.

I did read in another forum that it could be the MTU setting on the NPS server and it suggested setting the MTU size in NPS to 1344 which I did.  This did not seem to make any change.  I’m not sure what to look at from here any help would be greatly appreciated.

I double and tripled checked the shared secret’s which at this point I have simply set to “password” for testing purposes.  Later obviously this will change.

Cisco switch configuration:

| => ssh Cisco@10.0.1.5
Password: 

c3560cx#sh run bri
Building configuration...

Current configuration : 6516 bytes
!
! Last configuration change at 13:49:07 MST Mon Jun 11 2018 by Cisco
! NVRAM config last updated at 13:39:05 MST Mon Jun 11 2018 by Cisco
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c3560cx
!
boot-start-marker
boot-end-marker
!
enable secret 
!
username Cisco privilege 15 secret 
aaa new-model
!
!
aaa authentication login default local enable
aaa authentication dot1x default group radius
aaa authorization exec default local 
!
!
!
!
!
!         
aaa session-id common
clock timezone MST -7 0
clock summer-time MST recurring
switch 1 provision ws-c3560cx-12pd-s
system mtu routing 1500
!
!
!
!
!
!
ip domain-name minion.lab
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 75.75.75.75
ip name-server 75.75.76.76
!
!         
!
!
!
udld enable

authentication logging verbose
!
!

dot1x system-auth-control
dot1x logging verbose
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
 voice vlan
service-template webauth-global-inactive
 inactivity-timer 3600 
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
 linksec policy should-secure
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
 linksec policy must-secure
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
port-channel load-balance src-dst-ip
!
!
!
!
!
!
parameter-map type webauth AI_NRH_PMAP
 type authbypass
!
vlan internal allocation policy ascending
!
lldp run  
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
 match result-type aaa-timeout
 match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
 match result-type aaa-timeout
 match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
 match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
 match method dot1x
 match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
 match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
 match method dot1x
 match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
 match method dot1x
 match result-type method dot1x method-timeout
!
!
!
!
!
!
!
!
!         
!
!
!
!
!
!
!
!
!
interface Port-channel1
 description "EtherChannel Uplink Cisco 3560X"
 switchport mode trunk
!
interface Port-channel3
 description "EtherChannel MacBook Pro"
 switchport trunk native vlan 150
 switchport mode trunk
!         
interface GigabitEthernet1/0/1
 description Uplink Cisco 3560X
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 1 mode active
!
interface GigabitEthernet1/0/2
 description Uplink Cisco 3560X
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 1 mode active
!
interface GigabitEthernet1/0/3
 description "Macbook Pro"
 switchport trunk native vlan 150
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/4
 description "Macbook Pro"
 switchport trunk native vlan 150
 switchport mode trunk
 spanning-tree portfast edge
 channel-protocol lacp
 channel-group 3 mode active
!
interface GigabitEthernet1/0/5
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/6
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/7
 description OneTouch AT G2
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/8
 description OneTouch AT G2
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/9
 description "LinkRunner G2 - Cable Black"
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/10
 description "LinkRunner G2 - Cable Yellow"
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/11
 description "OneTouch AT G2 - Cable Light Blue"
 switchport access vlan 150
 switchport mode access
 access-session port-control auto
 dot1x pae authenticator
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/12
 description "OneTouch AT 10G - Cable Red"
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/13
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/14
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/15
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface GigabitEthernet1/0/16
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast edge
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
 ip address 10.0.1.5 255.255.255.0
!
!
!
ip default-gateway 10.0.1.1
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
!
!
!
!         
radius server Windows2008R2_NPS
 address ipv4 10.20.8.5 auth-port 1812 acct-port 1813
 key 7 051B071C325B411B1D
!
!
line con 0
line vty 0 4
 exec-timeout 3 0
 transport input ssh
line vty 5 15
 exec-timeout 3 0
 transport input ssh
!
ntp server time1.google.com
ntp server time3.google.com
ntp server time2.google.com
ntp server time4.google.com
!         
end

c3560cx#

Open in new window


Windows NPS Wired Policy Configuration:



Kris ArmstrongSenior Support EngineeerAsked:
Who is Participating?
 
Craig BeckCommented:
The events you're seeing aren't related to 802.1x.  You should see NPS logs if the switch is sending access requests.

At the switch do some debugs...

debug dot1x events
debug aaa events

Open in new window


...and post the output, please.

Based on your config 802.1x is only configured on port Gi1/0/11.

Also, I wouldn't mix EAP types.  If you can use EAP-TLS, just use that.  PEAP-MSCHAPv2 is less-secure.
0
 
Kris ArmstrongSenior Support EngineeerAuthor Commented:
Craig,

Thanks for the post,  well I have no idea what I did last night but all the sudden it started working on the Cisco switch it is still not working on the NetGear.  

I now need to try and backtrace what I did and figure out why the Cisco is working and the NetGear GS110 is not.  really the NetGear is not a big deal rather it works or not it is more a matter of wanting to know WHY.  I don't see much in terms of debugging capabilities on the NetGear though.

Next will be to stand up a 2012 and 2016 to do the exact same thing.

In terms of the EAP Types this is not for a production environment this is purely for a lab and testing purposes hence the reason for both types.  

Thanks,
0
All Courses

From novice to tech pro — start learning today.