Header Only - DO NOT REMOVE - Extreme Networks

802.1X and Windows NPS Configuration Best Tips


Does anyone have any suggestions on how to best configure the VNS and Windows NPS to handle 802.1X? I'm finding in our tests that users seem to drop off the VNS during the day and need to reconnect as well as just roaming throughout the building. Our NPS logs on the Windows server would appear to show the same. I did just turn on opportunistic keying and preauth but I'm curious if there are any other tweaks I should look for? Especially for iOS devices since we have quite a few of those. Thanks!

11 replies

Userlevel 7
Andrew,

If you don't have a day/time restriction on your NPS policy, I would say it must be something else that would require a bit more investigation. I would suggest contacting the GTAC so further diagnostics can be captured from your system during an event. I would have the following ready when you reach out...

Controller Tech Support...
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Collect-a-Tech-Support-File-From-a-Wireless-Controller

Access Point Data from where the user was attached...
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Collect-Access-Point-Logging-Information-Trace-Bundle
Userlevel 7
How about 802.11r which is now supported in V9.21 ?
Some IOS devices support it - here the list....
https://support.apple.com/en-us/HT202628

-Ron
Userlevel 7
Thanks Ron, please note...

https://gtacknowledge.extremenetworks.com/articles/Solution/Apple-IOS-Clients-with-Connection-Issues-on-Firmware-9-21-xx
Thank you both. I'm still struggling with this so I think I'll need to call GTAC. I join the 802.1X network than now has 802.11r on and Management Frame Protection off with an iPhone 6. The device works on the network, but when the device leaves the building and comes back, it never rejoins. Manually tap on it again and it joins ok.
Userlevel 7
I'm running 9.21.02 on my lab controller, 3825i, 802.1x, PEAP, I just tested my iPhone 6 (8.4.1) no issues. How long are you out of the building? Longer than the default 30 min idle timeout?
Yes, it was an hour, but I don't see how it's different from a WPA2-PSK network where the device caches the credentials and just reuses them when it sees the AP again. Am I missing something with 802.1X?
Userlevel 7
Could you be roaming controllers?
I only have one V2110. It's running 09.21.02.0014. Could it have anything to do with the topology? It starts bridged at controller and then switches to bridged at AP after auth.
Userlevel 7
Andrew Schmitt wrote:

I only have one V2110. It's running 09.21.02.0014. Could it have anything to do with the topology? It starts bridged at controller and then switches to bridged at AP after auth.

All in the same ip subnet?
Andrew Schmitt wrote:

I only have one V2110. It's running 09.21.02.0014. Could it have anything to do with the topology? It starts bridged at controller and then switches to bridged at AP after auth.

No, sir. The installer set it up as mentioned because the wireless clients need to be in a different subnet than the rest of the network since I ran out of DHCP scope space. it's all converging layer-3 at the X460 stack. If I didn't bridge at AP, I would need to allow everything as a radius client through PEAP, as far as I understand it, but I'm new to Identifi of course 🙂
Userlevel 7
Andrew Schmitt wrote:

I only have one V2110. It's running 09.21.02.0014. Could it have anything to do with the topology? It starts bridged at controller and then switches to bridged at AP after auth.

Okay, so the client would not get an IP until it authenticated. So using B@AP is not an issue, the clients will always get the ip from the Authenticated role. Contacting GTAC would probably be your best option, someone will look at the client state when it roams back into the network. It should try and probe the nearest ap then attempt to attach again...

I go home at night, then come back into the lab in the morning and my phone hooks right back up. I'm using b@ap tagged for my topology.

Reply